From aca639afe8c435f45ccc1864c42236252646fff9 Mon Sep 17 00:00:00 2001
From: Louis Burda <quent.burda@gmail.com>
Date: Tue, 15 Jun 2021 19:04:22 +0200
Subject: add service overview slides

---
 documentation/slides/.gitignore            |   1 +
 documentation/slides/index.html            | 699 +++++++++++++++++++++++++++++
 documentation/slides/media/exploit-1-1.png | Bin 0 -> 16715 bytes
 documentation/slides/media/exploit-1-2.png | Bin 0 -> 26940 bytes
 documentation/slides/media/exploit-1-3.png | Bin 0 -> 52090 bytes
 documentation/slides/media/exploit-1-4.png | Bin 0 -> 70074 bytes
 documentation/slides/media/exploit-1-5.png | Bin 0 -> 71647 bytes
 documentation/slides/media/exploit-2-1.png | Bin 0 -> 46589 bytes
 documentation/slides/media/search.gif      | Bin 0 -> 60562 bytes
 documentation/slides/media/socat.gif       | Bin 0 -> 19413 bytes
 documentation/slides/slides.md             | 184 ++++++++
 documentation/slides/stldoctor.pdf         | Bin 0 -> 579874 bytes
 12 files changed, 884 insertions(+)
 create mode 100644 documentation/slides/.gitignore
 create mode 100644 documentation/slides/index.html
 create mode 100644 documentation/slides/media/exploit-1-1.png
 create mode 100644 documentation/slides/media/exploit-1-2.png
 create mode 100644 documentation/slides/media/exploit-1-3.png
 create mode 100644 documentation/slides/media/exploit-1-4.png
 create mode 100644 documentation/slides/media/exploit-1-5.png
 create mode 100644 documentation/slides/media/exploit-2-1.png
 create mode 100644 documentation/slides/media/search.gif
 create mode 100644 documentation/slides/media/socat.gif
 create mode 100644 documentation/slides/slides.md
 create mode 100644 documentation/slides/stldoctor.pdf

(limited to 'documentation/slides')

diff --git a/documentation/slides/.gitignore b/documentation/slides/.gitignore
new file mode 100644
index 0000000..e4e7469
--- /dev/null
+++ b/documentation/slides/.gitignore
@@ -0,0 +1 @@
+slides
diff --git a/documentation/slides/index.html b/documentation/slides/index.html
new file mode 100644
index 0000000..cc0aa6a
--- /dev/null
+++ b/documentation/slides/index.html
@@ -0,0 +1,699 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0">
+  <title>STLDoctor</title>
+  <style type="text/css">
+    body {
+  font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif;
+  color: #222;
+  font-size: 100%;
+}
+
+.slide {
+  position: absolute;
+  top: 0; bottom: 0;
+  left: 0; right: 0;
+  background-color: #f7f7f7;
+}
+
+.slide-content {
+  width: 800px;
+  height: 600px;
+  overflow: hidden;
+  margin: 80px auto 0 auto;
+  padding: 30px;
+
+  font-weight: 200;
+  font-size: 200%;
+  line-height: 1.375;
+}
+
+.controls {
+  position: absolute;
+  bottom: 20px;
+  left: 20px;
+}
+
+.arrow {
+  width: 0; height: 0;
+  border: 30px solid #333;
+  float: left;
+  margin-right: 30px;
+
+  -webkit-touch-callout: none;
+  -webkit-user-select: none;
+  -khtml-user-select: none;
+  -moz-user-select: none;
+  -ms-user-select: none;
+  user-select: none;
+}
+
+.prev {
+  border-top-color: transparent;
+  border-bottom-color: transparent;
+  border-left-color: transparent;
+
+  border-left-width: 0;
+  border-right-width: 50px;
+}
+
+.next {
+  border-top-color: transparent;
+  border-bottom-color: transparent;
+  border-right-color: transparent;
+
+  border-left-width: 50px;
+  border-right-width: 0;
+}
+
+.prev:hover {
+  border-right-color: #888;
+  cursor: pointer;
+}
+
+.next:hover {
+  border-left-color: #888;
+  cursor: pointer;
+}
+
+h1 {
+  font-size: 300%;
+  line-height: 1.2;
+  text-align: center;
+  margin: 170px 0 0;
+}
+
+h2 {
+  font-size: 100%;
+  line-height: 1.2;
+  margin: 5px 0;
+  text-align: center;
+  font-weight: 200;
+}
+
+h3 {
+  font-size: 140%;
+  line-height: 1.2;
+  border-bottom: 1px solid #aaa;
+  margin: 0;
+  padding-bottom: 15px;
+}
+
+ul {
+  padding: 20px 0 0 60px;
+  font-weight: 200;
+  line-height: 1.375;
+}
+
+.author h1 {
+  font-size: 170%;
+  font-weight: 200;
+  text-align: center;
+  margin-bottom: 30px;
+}
+
+.author h3 {
+  font-weight: 100;
+  text-align: center;
+  font-size: 95%;
+  border: none;
+}
+
+a {
+  text-decoration: none;
+  color: #44a4dd;
+}
+
+a:hover {
+  color: #66b5ff;
+}
+
+pre {
+  font-size: 60%;
+  line-height: 1.3;
+}
+
+.progress {
+  position: fixed;
+  top: 0; left: 0; right: 0;
+  height: 3px;
+  z-index: 1;
+}
+
+.progress-bar {
+  width: 0%;
+  height: 3px;
+  background-color: #b4b4b4;
+
+  -webkit-transition: width 0.05s ease-out;
+  -moz-transition: width 0.05s ease-out;
+  -o-transition: width 0.05s ease-out;
+  transition: width 0.05s ease-out;
+}
+
+.hidden {
+  display: none;
+}
+
+@media (max-width: 850px) {
+
+  body {
+    font-size: 70%;
+  }
+
+  .slide-content {
+    width: auto;
+  }
+
+  img {
+    width: 100%;
+  }
+
+  h1 {
+    margin-top: 120px;
+  }
+
+  .prev, .prev:hover {
+    border-right-color: rgba(135, 135, 135, 0.5);
+  }
+
+  .next, .next:hover {
+    border-left-color: rgba(135, 135, 135, 0.5);
+  }
+}
+
+@media (max-width: 480px) {
+  body {
+    font-size: 50%;
+    overflow: hidden;
+  }
+
+  .slide-content {
+    padding: 10px;
+    margin-top: 10px;
+    height: 340px;
+  }
+
+  h1 {
+    margin-top: 50px;
+  }
+
+  ul {
+    padding-left: 25px;
+  }
+}
+
+@media print {
+  * {
+    -webkit-print-color-adjust: exact;
+  }
+
+  @page {
+    size: letter;
+  }
+
+  .hidden {
+    display: inline;
+  }
+
+  html {
+    width: 100%;
+    height: 100%;
+    overflow: visible;
+  }
+
+  body {
+    margin: 0 auto !important;
+    border: 0;
+    padding: 0;
+    float: none !important;
+    overflow: visible;
+    background: none !important;
+    font-size: 52%;
+  }
+
+  .progress, .controls {
+    display: none;
+  }
+
+  .slide {
+    position: static;
+  }
+
+  .slide-content {
+    border: 1px solid #222;
+    margin-top: 0;
+    margin-bottom: 40px;
+    height: 3.5in;
+    overflow: visible;
+  }
+
+  .slide:nth-child(even) {
+    /* 2 slides per page */
+    page-break-before: always;
+  }
+}
+
+/*
+
+github.com style (c) Vasily Polovnyov <vast@whiteants.net>
+
+*/
+
+.hljs {
+  display: block;
+  overflow-x: auto;
+  padding: 0.5em;
+  color: #333;
+  background: #f8f8f8;
+}
+
+.hljs-comment,
+.hljs-quote {
+  color: #998;
+  font-style: italic;
+}
+
+.hljs-keyword,
+.hljs-selector-tag,
+.hljs-subst {
+  color: #333;
+  font-weight: bold;
+}
+
+.hljs-number,
+.hljs-literal,
+.hljs-variable,
+.hljs-template-variable,
+.hljs-tag .hljs-attr {
+  color: #008080;
+}
+
+.hljs-string,
+.hljs-doctag {
+  color: #d14;
+}
+
+.hljs-title,
+.hljs-section,
+.hljs-selector-id {
+  color: #900;
+  font-weight: bold;
+}
+
+.hljs-subst {
+  font-weight: normal;
+}
+
+.hljs-type,
+.hljs-class .hljs-title {
+  color: #458;
+  font-weight: bold;
+}
+
+.hljs-tag,
+.hljs-name,
+.hljs-attribute {
+  color: #000080;
+  font-weight: normal;
+}
+
+.hljs-regexp,
+.hljs-link {
+  color: #009926;
+}
+
+.hljs-symbol,
+.hljs-bullet {
+  color: #990073;
+}
+
+.hljs-built_in,
+.hljs-builtin-name {
+  color: #0086b3;
+}
+
+.hljs-meta {
+  color: #999;
+  font-weight: bold;
+}
+
+.hljs-deletion {
+  background: #fdd;
+}
+
+.hljs-addition {
+  background: #dfd;
+}
+
+.hljs-emphasis {
+  font-style: italic;
+}
+
+.hljs-strong {
+  font-weight: bold;
+}
+
+
+  </style>
+    <script async src="http://localhost:35729/livereload.js"></script>
+</head>
+<body>
+    <div class="progress">
+    <div class="progress-bar"></div>
+  </div>
+
+  <div class="slide" id="slide-1">
+    <section class="slide-content"><style>
+
+.footnote {
+    font-size: 16pt;
+    position: absolute;
+    color: gray;
+    bottom: 0px;
+    right: 0px;
+}
+
+.slide-content {
+    position: relative;
+}
+
+.slide-content > ul >li {
+    padding: 7px 0px;
+}
+
+.slide-content > p > img {
+    width: 100%;
+}
+
+</style></section>
+  </div>
+  <div class="slide hidden" id="slide-2">
+    <section class="slide-content"><h1 id="stldoctor-">STLDoctor 💉</h1>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-3">
+    <section class="slide-content"><h3 id="the-plan-">The Plan 💡</h3>
+<!-- Familiar with C and wondered about non-standard
+     buffer-/integer overflow C bugs -->
+<!-- Plaintext file inspection service -->
+<!-- Interesting and realisitic bugs -->
+<!-- Written in C -->
+<!-- Have to combine 'gadgets' for exploit, but
+     as a logic bug, not RCE -->
+<ul>
+<li>Plaintext service</li>
+<li>Interesting C bugs</li>
+<li>Exploit logic bugs, not RCE</li>
+<li>Learn about the STL format</li>
+</ul>
+<p><img style="width: 240px !important; transform: rotate(90deg); height: 240px; position:absolute; top:150px; right:70px;" src="https://upload.wikimedia.org/wikipedia/commons/9/9b/STL_sample_2.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-4">
+    <section class="slide-content"><h3 id="setup-">Setup 🔧</h3>
+<ul>
+<li>C binary that communicates via <code>stdin</code> and <code>stdout</code></li>
+<li>Networking abstracted through hosting with <code>socat</code></li>
+<li>File system backend with periodic clean up</li>
+</ul>
+<p><img src="media/socat.gif" alt="socat"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-5">
+    <section class="slide-content"><h3 id="functionality-">Functionality 🎮</h3>
+<!-- file system backend separates user accounts and stl files location for non-guests -->
+<!-- guest account files can be downloaded by knowing their modelname,
+     premium account files can only be downloaded by authenticated users -->
+<ul>
+<li>Users can upload and search for files</li>
+<li>Register to upload private files</li>
+<li>Uploaded files are analyzed and information is returned to the user</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden -" id="slide-6">
+    <section class="slide-content"><!-- Sample interaction demonstrating how you would retrieve a file you uploaded -->
+<p><img src="media/search.gif" alt="FileSearch"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-7">
+    <section class="slide-content"><h3 id="1-vuln-">1. Vuln 💉</h3>
+<ul>
+<li>Flags are stored in the solidname of the STL</li>
+<li>Bug in upload info file parsing allows attacker to retrieve any public file</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-8">
+    <section class="slide-content"><h3 id="2-vuln-">2. Vuln 💉</h3>
+<ul>
+<li>Flags are stored in the solidname of a private file</li>
+<li>Buffer overflow in hash function allows enumeration of private user hashes</li>
+<li>Generate preimages of weak hash function to login as users</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-9">
+    <section class="slide-content"><h3 id="goals-met-">Goals Met 🎉</h3>
+<!-- dont need to be an expert at fancy exploitation to exploit,
+     just basic knowledge of C and testing code snippets to see
+     if they do what you expect them to in different cases -->
+<p>⭐ Plaintext file inspection service <br>
+⭐ Interesting and realisitic bugs <br>
+⭐ Combine different gadgets for exploit <br>
+⭐ Don&#39;t need to be an expert at fancy ROP <br>
+⭐ No SLA lost in TestCTF <br>
+⭐ Written in C</p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-10">
+    <section class="slide-content"><h3 id="issues-">Issues 📉</h3>
+<!-- Currently, the exploits dont require you to understand the
+    STL file format, however, to make sure that the service
+    is working correctly, you need to inspect the code -->
+<!-- Still considering encoding of flags as STL, but want to
+    avoid -->
+<p>💥 Exploits not directly related to STL format <br>
+💥 (Eno)checker has memory leaks</p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-11">
+    <section class="slide-content"><h3 id="lesssons-learned">Lesssons Learned</h3>
+<!-- from the feedback I gathered, that not a lot of people write C code
+     often, but this also means it is a great opportunity for learning
+     something new. -->
+<ul>
+<li>Many exploits are not suited for A/D ctfs</li>
+<li>How to write a FSM format parser</li>
+<li>Be careful with casts in C</li>
+<li>People just <em>love</em> C services 🤡</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-12">
+    <section class="slide-content"></section>
+  </div>
+  <div class="slide hidden" id="slide-13">
+    <section class="slide-content"></section>
+  </div>
+  <div class="slide hidden" id="slide-14">
+    <section class="slide-content"><h1 id="exploit-1">Exploit 1</h1>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-15">
+    <section class="slide-content"><p><img src="media/exploit-1-1.png" alt="exploit-1-1"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-16">
+    <section class="slide-content"><p><img src="media/exploit-1-2.png" alt="exploit-1-2"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-17">
+    <section class="slide-content"><p><img src="media/exploit-1-3.png" alt="exploit-1-3"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-18">
+    <section class="slide-content"><p><img src="media/exploit-1-4.png" alt="exploit-1-4"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-19">
+    <section class="slide-content"><p><img src="media/exploit-1-5.png" alt="exploit-1-5"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-20">
+    <section class="slide-content"><h1 id="exploit-2">Exploit 2</h1>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-21">
+    <section class="slide-content"><p><img src="media/exploit-2-1.png" alt="exploit-2-1"></p>
+<script>
+    // var slide_headers = document.querySelectorAll(".slide-content > h3");
+    // for (var i = 0; i < slide_headers.length; i++) {
+    //     var img = document.createElement('img')
+    //     img.src = "logo.png";
+    //     img.style = "height: 2.4ex; padding-right: 10px; float:right";
+    //     slide_headers[i].append(img);
+    // }
+</script></section>
+  </div>
+
+
+
+  <script type="text/javascript">
+    /**
+ * Returns the current page number of the presentation.
+ */
+function currentPosition() {
+  return parseInt(document.querySelector('.slide:not(.hidden)').id.slice(6));
+}
+
+
+/**
+ * Navigates forward n pages
+ * If n is negative, we will navigate in reverse
+ */
+function navigate(n) {
+  var position = currentPosition();
+  var numSlides = document.getElementsByClassName('slide').length;
+
+  /* Positions are 1-indexed, so we need to add and subtract 1 */
+  var nextPosition = (position - 1 + n) % numSlides + 1;
+
+  /* Normalize nextPosition in-case of a negative modulo result */
+  nextPosition = (nextPosition - 1 + numSlides) % numSlides + 1;
+
+  document.getElementById('slide-' + position).classList.add('hidden');
+  document.getElementById('slide-' + nextPosition).classList.remove('hidden');
+
+  updateProgress();
+  updateURL();
+  updateTabIndex();
+}
+
+
+/**
+ * Updates the current URL to include a hashtag of the current page number.
+ */
+function updateURL() {
+  try {
+    window.history.replaceState({} , null, '#' + currentPosition());
+  } catch (e) {
+    window.location.hash = currentPosition();
+  }
+}
+
+
+/**
+ * Sets the progress indicator.
+ */
+function updateProgress() {
+  var progressBar = document.querySelector('.progress-bar');
+
+  if (progressBar !== null) {
+    var numSlides = document.getElementsByClassName('slide').length;
+    var position = currentPosition() - 1;
+    var percent = (numSlides === 1) ? 100 : 100 * position / (numSlides - 1);
+    progressBar.style.width = percent.toString() + '%';
+  }
+}
+
+
+/**
+ * Removes tabindex property from all links on the current slide, sets
+ * tabindex = -1 for all links on other slides. Prevents slides from appearing
+ * out of control.
+ */
+function updateTabIndex() {
+  var allLinks = document.querySelectorAll('.slide a');
+  var position = currentPosition();
+  var currentPageLinks = document.getElementById('slide-' + position).querySelectorAll('a');
+  var i;
+
+  for (i = 0; i < allLinks.length; i++) {
+    allLinks[i].setAttribute('tabindex', -1);
+  }
+
+  for (i = 0; i < currentPageLinks.length; i++) {
+    currentPageLinks[i].removeAttribute('tabindex');
+  }
+}
+
+/**
+ * Determines whether or not we are currently in full screen mode
+ */
+function isFullScreen() {
+  return document.fullscreenElement ||
+         document.mozFullScreenElement ||
+         document.webkitFullscreenElement ||
+         document.msFullscreenElement;
+}
+
+/**
+ * Toggle fullScreen mode on document element.
+ * Works on chrome (>= 15), firefox (>= 9), ie (>= 11), opera(>= 12.1), safari (>= 5).
+ */
+function toggleFullScreen() {
+  /* Convenient renames */
+  var docElem = document.documentElement;
+  var doc = document;
+
+  docElem.requestFullscreen =
+      docElem.requestFullscreen ||
+      docElem.msRequestFullscreen ||
+      docElem.mozRequestFullScreen ||
+      docElem.webkitRequestFullscreen.bind(docElem, Element.ALLOW_KEYBOARD_INPUT);
+
+  doc.exitFullscreen =
+      doc.exitFullscreen ||
+      doc.msExitFullscreen ||
+      doc.mozCancelFullScreen ||
+      doc.webkitExitFullscreen;
+
+  isFullScreen() ? doc.exitFullscreen() : docElem.requestFullscreen();
+}
+
+document.addEventListener('DOMContentLoaded', function () {
+  // Update the tabindex to prevent weird slide transitioning
+  updateTabIndex();
+
+  // If the location hash specifies a page number, go to it.
+  var page = window.location.hash.slice(1);
+  if (page) {
+    navigate(parseInt(page) - 1);
+  }
+
+  document.onkeydown = function (e) {
+    var kc = e.keyCode;
+
+    // left, down, H, J, backspace, PgUp - BACK
+    // up, right, K, L, space, PgDn - FORWARD
+    // enter - FULLSCREEN
+    if (kc === 37 || kc === 40 || kc === 8 || kc === 72 || kc === 74 || kc === 33) {
+      navigate(-1);
+    } else if (kc === 38 || kc === 39 || kc === 32 || kc === 75 || kc === 76 || kc === 34) {
+      navigate(1);
+    } else if (kc === 13) {
+      toggleFullScreen();
+    }
+  };
+
+  if (document.querySelector('.next') && document.querySelector('.prev')) {
+    document.querySelector('.next').onclick = function (e) {
+      e.preventDefault();
+      navigate(1);
+    };
+
+    document.querySelector('.prev').onclick = function (e) {
+      e.preventDefault();
+      navigate(-1);
+    };
+  }
+});
+
+
+  </script>
+</body>
+</html>
diff --git a/documentation/slides/media/exploit-1-1.png b/documentation/slides/media/exploit-1-1.png
new file mode 100644
index 0000000..b251075
Binary files /dev/null and b/documentation/slides/media/exploit-1-1.png differ
diff --git a/documentation/slides/media/exploit-1-2.png b/documentation/slides/media/exploit-1-2.png
new file mode 100644
index 0000000..e63f7d0
Binary files /dev/null and b/documentation/slides/media/exploit-1-2.png differ
diff --git a/documentation/slides/media/exploit-1-3.png b/documentation/slides/media/exploit-1-3.png
new file mode 100644
index 0000000..4dc961d
Binary files /dev/null and b/documentation/slides/media/exploit-1-3.png differ
diff --git a/documentation/slides/media/exploit-1-4.png b/documentation/slides/media/exploit-1-4.png
new file mode 100644
index 0000000..2d75f2f
Binary files /dev/null and b/documentation/slides/media/exploit-1-4.png differ
diff --git a/documentation/slides/media/exploit-1-5.png b/documentation/slides/media/exploit-1-5.png
new file mode 100644
index 0000000..874529b
Binary files /dev/null and b/documentation/slides/media/exploit-1-5.png differ
diff --git a/documentation/slides/media/exploit-2-1.png b/documentation/slides/media/exploit-2-1.png
new file mode 100644
index 0000000..91b0df7
Binary files /dev/null and b/documentation/slides/media/exploit-2-1.png differ
diff --git a/documentation/slides/media/search.gif b/documentation/slides/media/search.gif
new file mode 100644
index 0000000..de4ed18
Binary files /dev/null and b/documentation/slides/media/search.gif differ
diff --git a/documentation/slides/media/socat.gif b/documentation/slides/media/socat.gif
new file mode 100644
index 0000000..38f1e93
Binary files /dev/null and b/documentation/slides/media/socat.gif differ
diff --git a/documentation/slides/slides.md b/documentation/slides/slides.md
new file mode 100644
index 0000000..48e3447
--- /dev/null
+++ b/documentation/slides/slides.md
@@ -0,0 +1,184 @@
+title: STLDoctor
+output: index.html
+controls: false
+
+--
+
+<style>
+
+.footnote {
+	font-size: 16pt;
+	position: absolute;
+	color: gray;
+	bottom: 0px;
+	right: 0px;
+}
+
+.slide-content {
+	position: relative;
+}
+
+.slide-content > ul >li {
+	padding: 7px 0px;
+}
+
+.slide-content > p > img {
+	width: 100%;
+}
+
+</style>
+
+--
+
+# STLDoctor 💉
+
+--
+
+### The Plan 💡
+
+<!-- Familiar with C and wondered about non-standard
+     buffer-/integer overflow C bugs -->
+<!-- Plaintext file inspection service -->
+<!-- Interesting and realisitic bugs -->
+<!-- Written in C -->
+<!-- Have to combine 'gadgets' for exploit, but
+     as a logic bug, not RCE -->
+- Plaintext service
+- Interesting C bugs
+- Exploit logic bugs, not RCE
+- Learn about the STL format
+
+<img style="width: 240px !important; transform: rotate(90deg); height: 240px; position:absolute; top:150px; right:70px;" src="https://upload.wikimedia.org/wikipedia/commons/9/9b/STL_sample_2.png">
+
+--
+
+### Setup 🔧
+
+- C binary that communicates via `stdin` and `stdout`
+- Networking abstracted through hosting with `socat`
+- File system backend with periodic clean up
+
+![socat](media/socat.gif)
+
+--
+
+### Functionality 🎮
+
+<!-- file system backend separates user accounts and stl files location for non-guests -->
+<!-- guest account files can be downloaded by knowing their modelname,
+     premium account files can only be downloaded by authenticated users -->
+
+- Users can upload and search for files
+- Register to upload private files
+- Uploaded files are analyzed and information is returned to the user
+
+---
+
+<!-- Sample interaction demonstrating how you would retrieve a file you uploaded -->
+
+![FileSearch](media/search.gif)
+
+--
+
+### 1. Vuln 💉
+
+- Flags are stored in the solidname of the STL
+- Bug in upload info file parsing allows attacker to retrieve any public file
+
+--
+
+### 2. Vuln 💉
+
+- Flags are stored in the solidname of a private file
+- Buffer overflow in hash function allows enumeration of private user hashes
+- Generate preimages of weak hash function to login as users
+
+--
+
+### Goals Met 🎉
+
+<!-- dont need to be an expert at fancy exploitation to exploit,
+     just basic knowledge of C and testing code snippets to see
+     if they do what you expect them to in different cases -->
+
+⭐ Plaintext file inspection service <br>
+⭐ Interesting and realisitic bugs <br>
+⭐ Combine different gadgets for exploit <br>
+⭐ Don't need to be an expert at fancy ROP <br>
+⭐ No SLA lost in TestCTF <br>
+⭐ Written in C
+
+--
+
+### Issues 📉
+
+<!-- Currently, the exploits dont require you to understand the
+	STL file format, however, to make sure that the service
+	is working correctly, you need to inspect the code -->
+
+<!-- Still considering encoding of flags as STL, but want to
+	avoid -->
+
+💥 Exploits not directly related to STL format <br>
+💥 (Eno)checker has memory leaks
+
+--
+
+### Lesssons Learned 
+
+<!-- from the feedback I gathered, that not a lot of people write C code
+     often, but this also means it is a great opportunity for learning
+     something new. -->
+
+- Many exploits are not suited for A/D ctfs
+- How to write a FSM format parser
+- Be careful with casts in C
+- People just *love* C services 🤡
+
+--
+
+--
+
+--
+
+# Exploit 1
+
+--
+
+![exploit-1-1](media/exploit-1-1.png)
+
+--
+
+![exploit-1-2](media/exploit-1-2.png)
+
+--
+
+![exploit-1-3](media/exploit-1-3.png)
+
+--
+
+![exploit-1-4](media/exploit-1-4.png)
+
+--
+
+![exploit-1-5](media/exploit-1-5.png)
+
+--
+
+# Exploit 2
+
+--
+
+![exploit-2-1](media/exploit-2-1.png)
+
+
+
+<script>
+	// var slide_headers = document.querySelectorAll(".slide-content > h3");
+	// for (var i = 0; i < slide_headers.length; i++) {
+	// 	var img = document.createElement('img')
+	// 	img.src = "logo.png";
+	// 	img.style = "height: 2.4ex; padding-right: 10px; float:right";
+	// 	slide_headers[i].append(img);
+	// }
+</script>
diff --git a/documentation/slides/stldoctor.pdf b/documentation/slides/stldoctor.pdf
new file mode 100644
index 0000000..ddfe89b
Binary files /dev/null and b/documentation/slides/stldoctor.pdf differ
-- 
cgit v1.2.3-71-gd317