From 6a321759f6f75e7e14a29fde7cd0fa359d14215e Mon Sep 17 00:00:00 2001
From: Louis Burda <quent.burda@gmail.com>
Date: Wed, 21 Jul 2021 19:37:15 +0200
Subject: final tweaks to documentations, added intro and final presentation
 slides

---
 documentation/README.md                            |  44 +-
 documentation/slides-final/.gitignore              |   1 +
 documentation/slides-final/index.html              | 768 +++++++++++++++++++++
 documentation/slides-final/media/dirlist.png       | Bin 0 -> 2322 bytes
 .../slides-final/media/enowars5-timeout.png        | Bin 0 -> 202709 bytes
 documentation/slides-final/media/enowars5.png      | Bin 0 -> 22214 bytes
 documentation/slides-final/media/exploit-1-1.png   | Bin 0 -> 16715 bytes
 documentation/slides-final/media/exploit-1-2.png   | Bin 0 -> 26940 bytes
 documentation/slides-final/media/exploit-1-3.png   | Bin 0 -> 52090 bytes
 documentation/slides-final/media/exploit-1-4.png   | Bin 0 -> 70074 bytes
 documentation/slides-final/media/exploit-1-5.png   | Bin 0 -> 71647 bytes
 documentation/slides-final/media/exploit-2-1.png   | Bin 0 -> 46589 bytes
 documentation/slides-final/media/getdirentries.png | Bin 0 -> 135007 bytes
 .../slides-final/media/player-meme-hashfunc.png    | Bin 0 -> 221940 bytes
 .../slides-final/media/player-meme-struggling.png  | Bin 0 -> 99623 bytes
 documentation/slides-final/media/readdir.png       | Bin 0 -> 119892 bytes
 documentation/slides-final/media/readdir_more.png  | Bin 0 -> 124526 bytes
 documentation/slides-final/media/search.gif        | Bin 0 -> 60562 bytes
 documentation/slides-final/media/socat.gif         | Bin 0 -> 19413 bytes
 documentation/slides-final/media/stl1.png          | Bin 0 -> 17519 bytes
 documentation/slides-final/media/stl2.png          | Bin 0 -> 19783 bytes
 documentation/slides-final/media/stl3.png          | Bin 0 -> 16751 bytes
 documentation/slides-final/media/stldoc.png        | Bin 0 -> 114257 bytes
 documentation/slides-final/media/stldoc_dead.png   | Bin 0 -> 686794 bytes
 .../slides-final/media/stldoc_dead_offline.png     | Bin 0 -> 142293 bytes
 .../slides-final/media/stldoc_dead_r17.png         | Bin 0 -> 148922 bytes
 .../slides-final/media/stldoc_dead_r432.png        | Bin 0 -> 267521 bytes
 .../slides-final/media/stldoc_dead_r469.png        | Bin 0 -> 250294 bytes
 documentation/slides-final/slides.md               | 253 +++++++
 documentation/slides-final/stldoctor.pdf           | Bin 0 -> 2073788 bytes
 documentation/slides-intro/.gitignore              |   1 +
 documentation/slides-intro/index.html              | 699 +++++++++++++++++++
 documentation/slides-intro/media/exploit-1-1.png   | Bin 0 -> 16715 bytes
 documentation/slides-intro/media/exploit-1-2.png   | Bin 0 -> 26940 bytes
 documentation/slides-intro/media/exploit-1-3.png   | Bin 0 -> 52090 bytes
 documentation/slides-intro/media/exploit-1-4.png   | Bin 0 -> 70074 bytes
 documentation/slides-intro/media/exploit-1-5.png   | Bin 0 -> 71647 bytes
 documentation/slides-intro/media/exploit-2-1.png   | Bin 0 -> 46589 bytes
 documentation/slides-intro/media/search.gif        | Bin 0 -> 60562 bytes
 documentation/slides-intro/media/socat.gif         | Bin 0 -> 19413 bytes
 documentation/slides-intro/slides.md               | 184 +++++
 documentation/slides-intro/stldoctor.pdf           | Bin 0 -> 579874 bytes
 documentation/slides/.gitignore                    |   1 -
 documentation/slides/index.html                    | 699 -------------------
 documentation/slides/media/exploit-1-1.png         | Bin 16715 -> 0 bytes
 documentation/slides/media/exploit-1-2.png         | Bin 26940 -> 0 bytes
 documentation/slides/media/exploit-1-3.png         | Bin 52090 -> 0 bytes
 documentation/slides/media/exploit-1-4.png         | Bin 70074 -> 0 bytes
 documentation/slides/media/exploit-1-5.png         | Bin 71647 -> 0 bytes
 documentation/slides/media/exploit-2-1.png         | Bin 46589 -> 0 bytes
 documentation/slides/media/search.gif              | Bin 60562 -> 0 bytes
 documentation/slides/media/socat.gif               | Bin 19413 -> 0 bytes
 documentation/slides/slides.md                     | 184 -----
 documentation/slides/stldoctor.pdf                 | Bin 579874 -> 0 bytes
 54 files changed, 1929 insertions(+), 905 deletions(-)
 create mode 100644 documentation/slides-final/.gitignore
 create mode 100644 documentation/slides-final/index.html
 create mode 100644 documentation/slides-final/media/dirlist.png
 create mode 100644 documentation/slides-final/media/enowars5-timeout.png
 create mode 100644 documentation/slides-final/media/enowars5.png
 create mode 100644 documentation/slides-final/media/exploit-1-1.png
 create mode 100644 documentation/slides-final/media/exploit-1-2.png
 create mode 100644 documentation/slides-final/media/exploit-1-3.png
 create mode 100644 documentation/slides-final/media/exploit-1-4.png
 create mode 100644 documentation/slides-final/media/exploit-1-5.png
 create mode 100644 documentation/slides-final/media/exploit-2-1.png
 create mode 100644 documentation/slides-final/media/getdirentries.png
 create mode 100644 documentation/slides-final/media/player-meme-hashfunc.png
 create mode 100644 documentation/slides-final/media/player-meme-struggling.png
 create mode 100644 documentation/slides-final/media/readdir.png
 create mode 100644 documentation/slides-final/media/readdir_more.png
 create mode 100644 documentation/slides-final/media/search.gif
 create mode 100644 documentation/slides-final/media/socat.gif
 create mode 100644 documentation/slides-final/media/stl1.png
 create mode 100644 documentation/slides-final/media/stl2.png
 create mode 100644 documentation/slides-final/media/stl3.png
 create mode 100644 documentation/slides-final/media/stldoc.png
 create mode 100644 documentation/slides-final/media/stldoc_dead.png
 create mode 100644 documentation/slides-final/media/stldoc_dead_offline.png
 create mode 100644 documentation/slides-final/media/stldoc_dead_r17.png
 create mode 100644 documentation/slides-final/media/stldoc_dead_r432.png
 create mode 100644 documentation/slides-final/media/stldoc_dead_r469.png
 create mode 100644 documentation/slides-final/slides.md
 create mode 100644 documentation/slides-final/stldoctor.pdf
 create mode 100644 documentation/slides-intro/.gitignore
 create mode 100644 documentation/slides-intro/index.html
 create mode 100644 documentation/slides-intro/media/exploit-1-1.png
 create mode 100644 documentation/slides-intro/media/exploit-1-2.png
 create mode 100644 documentation/slides-intro/media/exploit-1-3.png
 create mode 100644 documentation/slides-intro/media/exploit-1-4.png
 create mode 100644 documentation/slides-intro/media/exploit-1-5.png
 create mode 100644 documentation/slides-intro/media/exploit-2-1.png
 create mode 100644 documentation/slides-intro/media/search.gif
 create mode 100644 documentation/slides-intro/media/socat.gif
 create mode 100644 documentation/slides-intro/slides.md
 create mode 100644 documentation/slides-intro/stldoctor.pdf
 delete mode 100644 documentation/slides/.gitignore
 delete mode 100644 documentation/slides/index.html
 delete mode 100644 documentation/slides/media/exploit-1-1.png
 delete mode 100644 documentation/slides/media/exploit-1-2.png
 delete mode 100644 documentation/slides/media/exploit-1-3.png
 delete mode 100644 documentation/slides/media/exploit-1-4.png
 delete mode 100644 documentation/slides/media/exploit-1-5.png
 delete mode 100644 documentation/slides/media/exploit-2-1.png
 delete mode 100644 documentation/slides/media/search.gif
 delete mode 100644 documentation/slides/media/socat.gif
 delete mode 100644 documentation/slides/slides.md
 delete mode 100644 documentation/slides/stldoctor.pdf

(limited to 'documentation')

diff --git a/documentation/README.md b/documentation/README.md
index f507ecc..b664fc0 100644
--- a/documentation/README.md
+++ b/documentation/README.md
@@ -19,20 +19,21 @@ allows users to search for public models via model name. Registered user's
 uploads are saved to a private directory. This (theoretically) prevents other
 users from accessing their files.
 
-The service is hosted with socat, one process per client.
+The service is hosted with ncat, one process per client.
 
-Models are periodically cleaned up using files *last modified* date.
+Models are periodically checked for removal via their *last modified* date
+and tracked using index files.
 
 For both flagstores the **service returns the flag in plaintext**, which is
-vulnerable to detection by network filters and can lead to easy replication
-of exploits.
+vulnerable to detection by network filters. However, multiple sessions can be
+used to somewhat obfuscate the exploit mechanism.
 
 
 RCE Countermeasures
 ===================
 
 It is good practice to take preventitive measures against unintentional RCE,
-which can be used to cause havoc on vulnboxes and make services go mumble.
+which can be used to wreak havoc on vulnboxes and make services go mumble.
 
 For this reason, additional security features are enabled via compilation flags:
 
@@ -98,19 +99,20 @@ freadstr(FILE *f, char **dst)
 
 To determine whether the end-of-file was reached, the return value of `int
 fgetc(FILE *f)` is compared to the constant `EOF`, which has a value of `-1`.
-The problem lies in the fact, that this comparison is done following a demotion
-of the return value to `char` through the assignment and a subsequent promotion
-to `int`, which results in an arithmetic extension. As a result, reading the
-value char `0xff` would promote it to `0xffffffff` with a value of `-1`,
-preventing the function from reading the complete string.
+The problem lies in the fact that this comparison is done following a demotion
+of the return value to `char` through the assignment, and a subsequent promotion
+to `int`, which results in an arithmetic extension. As a result, a char with
+unsigned value `255` is cast to char (`0xff`) and then promoted to `-1`
+(`0xffffffff`). Since this value corresponds with `EOF`, it prevents the
+function from reading the complete string.
 
 This allows an attacker to cleverly truncate a string before it has ended to
 manipulate the content of strings which follow it. In this case, the model name
 is saved before the model hash in the information file. By adding a `0xff` to
-the end of our uploaded model's name, the model hash is read as an empty string
-following a `search` of the file's contents. Since any following `search` will use
-the previously loaded models hash to find the file via prefix match, any files
-uploaded by unregistered users may be accessed by a user.
+our uploaded model's name, we can control what value is loaded from the file for
+the model's hash. Since a `search last` will use the previously loaded models hash
+to find the file via prefix match, any files uploaded by unregistered users can
+be accessed by choosing this value accordingly.
 
 The flag is saved in the model name.
 
@@ -119,12 +121,12 @@ Exploiting
 ----------
 
 1. Open a session
-2. Run `upload` to upload an STL file and specify a model name ending in `0xff`
+2. Run `upload` to upload an STL file and specify a model name ending in
+	`0xff<target-hash-prefix>`
 3. Open a new session
-4. Run `search` with the same model name from **step 1** to load the parsed
-	information from the `info` file and trigger the truncation
-5. Run `search last` to use the cached hash which should be empty,
-	allowing you to accesss any files uploaded by unregistered users
+4. Run `search` with the same model name from **step 1** to load the malicious
+	model hash value
+5. Run `search last` to use the cached hash prefix to access the target file
 
 See the `exploit` method of the checker in `checker/src/checker.py`
 for an implementation in python.
@@ -208,12 +210,12 @@ previously, to log in as them and query information about their files.
 
 To calculate the preimage we repeatedly choose a seed for srand. For
 each seed, we XOR the values encoded in the hex-encoded hash with
-calls to rand(). If after generating each character the sum of the
+calls to `rand()`. If after generating each character the sum of the
 generated values is less than the seed we used, restart. Otherwise,
 we append some characters to make the sum of the input characters
 match the seed, such that the seed for srand mhash uses matches the
 one we chose. The actual value of these 'extra' chars is irrelevant,
-since mhash only processes the first 20 chars anyways.
+since mhash only processes the first 20 chars.
 
 See `checker/src/revhash/main.c` for an example implementation in C.
 
diff --git a/documentation/slides-final/.gitignore b/documentation/slides-final/.gitignore
new file mode 100644
index 0000000..e4e7469
--- /dev/null
+++ b/documentation/slides-final/.gitignore
@@ -0,0 +1 @@
+slides
diff --git a/documentation/slides-final/index.html b/documentation/slides-final/index.html
new file mode 100644
index 0000000..b7457ef
--- /dev/null
+++ b/documentation/slides-final/index.html
@@ -0,0 +1,768 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0">
+  <title>STLDoctor</title>
+  <style type="text/css">
+    body {
+  font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif;
+  color: #222;
+  font-size: 100%;
+}
+
+.slide {
+  position: absolute;
+  top: 0; bottom: 0;
+  left: 0; right: 0;
+  background-color: #f7f7f7;
+}
+
+.slide-content {
+  width: 800px;
+  height: 600px;
+  overflow: hidden;
+  margin: 80px auto 0 auto;
+  padding: 30px;
+
+  font-weight: 200;
+  font-size: 200%;
+  line-height: 1.375;
+}
+
+.controls {
+  position: absolute;
+  bottom: 20px;
+  left: 20px;
+}
+
+.arrow {
+  width: 0; height: 0;
+  border: 30px solid #333;
+  float: left;
+  margin-right: 30px;
+
+  -webkit-touch-callout: none;
+  -webkit-user-select: none;
+  -khtml-user-select: none;
+  -moz-user-select: none;
+  -ms-user-select: none;
+  user-select: none;
+}
+
+.prev {
+  border-top-color: transparent;
+  border-bottom-color: transparent;
+  border-left-color: transparent;
+
+  border-left-width: 0;
+  border-right-width: 50px;
+}
+
+.next {
+  border-top-color: transparent;
+  border-bottom-color: transparent;
+  border-right-color: transparent;
+
+  border-left-width: 50px;
+  border-right-width: 0;
+}
+
+.prev:hover {
+  border-right-color: #888;
+  cursor: pointer;
+}
+
+.next:hover {
+  border-left-color: #888;
+  cursor: pointer;
+}
+
+h1 {
+  font-size: 300%;
+  line-height: 1.2;
+  text-align: center;
+  margin: 170px 0 0;
+}
+
+h2 {
+  font-size: 100%;
+  line-height: 1.2;
+  margin: 5px 0;
+  text-align: center;
+  font-weight: 200;
+}
+
+h3 {
+  font-size: 140%;
+  line-height: 1.2;
+  border-bottom: 1px solid #aaa;
+  margin: 0;
+  padding-bottom: 15px;
+}
+
+ul {
+  padding: 20px 0 0 60px;
+  font-weight: 200;
+  line-height: 1.375;
+}
+
+.author h1 {
+  font-size: 170%;
+  font-weight: 200;
+  text-align: center;
+  margin-bottom: 30px;
+}
+
+.author h3 {
+  font-weight: 100;
+  text-align: center;
+  font-size: 95%;
+  border: none;
+}
+
+a {
+  text-decoration: none;
+  color: #44a4dd;
+}
+
+a:hover {
+  color: #66b5ff;
+}
+
+pre {
+  font-size: 60%;
+  line-height: 1.3;
+}
+
+.progress {
+  position: fixed;
+  top: 0; left: 0; right: 0;
+  height: 3px;
+  z-index: 1;
+}
+
+.progress-bar {
+  width: 0%;
+  height: 3px;
+  background-color: #b4b4b4;
+
+  -webkit-transition: width 0.05s ease-out;
+  -moz-transition: width 0.05s ease-out;
+  -o-transition: width 0.05s ease-out;
+  transition: width 0.05s ease-out;
+}
+
+.hidden {
+  display: none;
+}
+
+@media (max-width: 850px) {
+
+  body {
+    font-size: 70%;
+  }
+
+  .slide-content {
+    width: auto;
+  }
+
+  img {
+    width: 100%;
+  }
+
+  h1 {
+    margin-top: 120px;
+  }
+
+  .prev, .prev:hover {
+    border-right-color: rgba(135, 135, 135, 0.5);
+  }
+
+  .next, .next:hover {
+    border-left-color: rgba(135, 135, 135, 0.5);
+  }
+}
+
+@media (max-width: 480px) {
+  body {
+    font-size: 50%;
+    overflow: hidden;
+  }
+
+  .slide-content {
+    padding: 10px;
+    margin-top: 10px;
+    height: 340px;
+  }
+
+  h1 {
+    margin-top: 50px;
+  }
+
+  ul {
+    padding-left: 25px;
+  }
+}
+
+@media print {
+  * {
+    -webkit-print-color-adjust: exact;
+  }
+
+  @page {
+    size: letter;
+  }
+
+  .hidden {
+    display: inline;
+  }
+
+  html {
+    width: 100%;
+    height: 100%;
+    overflow: visible;
+  }
+
+  body {
+    margin: 0 auto !important;
+    border: 0;
+    padding: 0;
+    float: none !important;
+    overflow: visible;
+    background: none !important;
+    font-size: 52%;
+  }
+
+  .progress, .controls {
+    display: none;
+  }
+
+  .slide {
+    position: static;
+  }
+
+  .slide-content {
+    border: 1px solid #222;
+    margin-top: 0;
+    margin-bottom: 40px;
+    height: 3.5in;
+    overflow: visible;
+  }
+
+  .slide:nth-child(even) {
+    /* 2 slides per page */
+    page-break-before: always;
+  }
+}
+
+/*
+
+github.com style (c) Vasily Polovnyov <vast@whiteants.net>
+
+*/
+
+.hljs {
+  display: block;
+  overflow-x: auto;
+  padding: 0.5em;
+  color: #333;
+  background: #f8f8f8;
+}
+
+.hljs-comment,
+.hljs-quote {
+  color: #998;
+  font-style: italic;
+}
+
+.hljs-keyword,
+.hljs-selector-tag,
+.hljs-subst {
+  color: #333;
+  font-weight: bold;
+}
+
+.hljs-number,
+.hljs-literal,
+.hljs-variable,
+.hljs-template-variable,
+.hljs-tag .hljs-attr {
+  color: #008080;
+}
+
+.hljs-string,
+.hljs-doctag {
+  color: #d14;
+}
+
+.hljs-title,
+.hljs-section,
+.hljs-selector-id {
+  color: #900;
+  font-weight: bold;
+}
+
+.hljs-subst {
+  font-weight: normal;
+}
+
+.hljs-type,
+.hljs-class .hljs-title {
+  color: #458;
+  font-weight: bold;
+}
+
+.hljs-tag,
+.hljs-name,
+.hljs-attribute {
+  color: #000080;
+  font-weight: normal;
+}
+
+.hljs-regexp,
+.hljs-link {
+  color: #009926;
+}
+
+.hljs-symbol,
+.hljs-bullet {
+  color: #990073;
+}
+
+.hljs-built_in,
+.hljs-builtin-name {
+  color: #0086b3;
+}
+
+.hljs-meta {
+  color: #999;
+  font-weight: bold;
+}
+
+.hljs-deletion {
+  background: #fdd;
+}
+
+.hljs-addition {
+  background: #dfd;
+}
+
+.hljs-emphasis {
+  font-style: italic;
+}
+
+.hljs-strong {
+  font-weight: bold;
+}
+
+
+  </style>
+</head>
+<body>
+    <div class="progress">
+    <div class="progress-bar"></div>
+  </div>
+
+  <div class="slide" id="slide-1">
+    <section class="slide-content"><style>
+
+.footnote {
+    font-size: 16pt;
+    position: absolute;
+    color: gray;
+    bottom: 0px;
+    right: 0px;
+}
+
+.slide-content {
+    position: relative;
+}
+
+.slide-content > ul >li {
+    padding: 7px 0px;
+}
+
+.slide-content > p > img {
+    width: 100%;
+}
+
+</style></section>
+  </div>
+  <div class="slide hidden" id="slide-2">
+    <section class="slide-content"><!-- Recap of the service and the problems I
+encountered preparing for the CTF and during the CTF -->
+<h1 id="stldoctor-">STLDoctor 💉</h1>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-3">
+    <section class="slide-content"><h3 id="index-">Index 🗄️</h3>
+<ul>
+<li>Service recap</li>
+<li>Optimization</li>
+<li>ENOWARS 5</li>
+<li>Reflection</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-4">
+    <section class="slide-content"><h3 id="refreshing-memories-">Refreshing Memories 💾</h3>
+<ul>
+<li>Plaintext service written in C</li>
+<li>Users upload STL files for parsing</li>
+<li>Private and public storage (2 flagstores)</li>
+<li><ol>
+<li>Vuln: Deserialization</li>
+</ol>
+</li>
+<li><ol start="2">
+<li>Vuln: Hash preimage</li>
+</ol>
+</li>
+</ul>
+<p><img style="width:300px !important; height:240px; position:absolute; bottom:80px; right:70px;" src="media/stldoc.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-5">
+    <section class="slide-content"><h3 id="since-last-meeting-">Since Last Meeting ⏩</h3>
+<!-- Of these three, we want to take a closer look
+at the performance improvements necessary -->
+<ul>
+<li>Performance improvements</li>
+<li>Added service fluff</li>
+</ul>
+<p><img id=img1 src="media/stl1.png">
+<img id=img2 src="media/stl2.png">
+<img id=img3 src="media/stl3.png"></p>
+<style>
+    #img1 {
+        position: absolute;
+        left: 2.5%;
+        bottom: 7%;
+        width: 30%;
+    }
+    #img2 {
+        position: absolute;
+        left: 35%;
+        bottom: 7%;
+        width: 30%;
+    }
+    #img3 {
+        position: absolute;
+        left: 67.5%;
+        bottom: 7%;
+        width: 30%;
+    }
+</style></section>
+  </div>
+  <div class="slide hidden" id="slide-6">
+    <section class="slide-content"><h3 id="issues-">Issues 😒</h3>
+<!-- since there were some slow io operations and
+either memory leak issues with pwnlib (witout patch)
+or engine request issues with the patch,
+sooo I decided to refactor to use enochecker3 for asyncio
+
+also noticed that I was checking the same thing multiple times
+in the checker, so tried to condense functionality -->
+<ul>
+<li>Slow search / list operations</li>
+<li>Enochecker memory leak without patch</li>
+<li>Engine error on worker restart with patch</li>
+<li>Logs not showing up in ELK</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-7">
+    <section class="slide-content"><h3 id="solutions-">Solutions 💡</h3>
+<ul>
+<li>Index files with locks for directory listing</li>
+<li>Refactored checker for asyncio</li>
+<li>Condensed checker functionality</li>
+<li>Increase docker-compose log size</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-8">
+    <section class="slide-content"><h1 id="enowars-5">ENOWARS 5</h1>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-9">
+    <section class="slide-content"><h3 id="oserror-">OSError 💢</h3>
+<ul>
+<li>Checker throws <code>INTERNAL_ERROR</code> on bad connection</li>
+<li>Fixed in c97789ad.. of enochecker3</li>
+</ul>
+<p><img style="" src="media/stldoc_dead_offline.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-10">
+    <section class="slide-content"><h3 id="checker-overload-">Checker Overload 💥</h3>
+<!-- all of a sudden all checker tasks are being aborted.
+Since all tasks were aborted, all workers must be affected
+and a blockage of a single worker could not have been the
+cause.. 
+During the ctf we found the checker at high load..
+Suspected that OFFLINE/unresponsive teams could be slowing
+down the service since then the timeouts are too large and the
+queue couldnt be emptied fast enough -->
+<ul>
+<li>Checker tasks being aborted for every team</li>
+</ul>
+<p><img style="height: 80%" src="media/stldoc_dead_r432.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-11">
+    <section class="slide-content"><h3 id="checker-overload-">Checker Overload 💥</h3>
+<!-- MEME CREDIT: Liikt -->
+<p><img style="height: 80%" src="media/stldoc_dead.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-12">
+    <section class="slide-content"><h3 id="anomaly-">Anomaly 👽</h3>
+<!-- service didnt timeout except on vulnboxes where everything
+seemed to be running weirdly, so unsure how to debug -->
+<p><img style="" src="media/enowars5-timeout.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-13">
+    <section class="slide-content"><h3 id="feedback-">Feedback 🤔</h3>
+<ul>
+<li><ol>
+<li>flagstore exploited after ~4h (R190)</li>
+</ol>
+</li>
+<li><ol start="2">
+<li>flagstore not exploited</li>
+</ol>
+</li>
+</ul>
+<!-- MEME CREDIT: [KuK] cluosh -->
+<p><img style="position:absolute; right:0px; height:300px; width:450px" src="media/player-meme-struggling.png">
+<img style="position:absolute; left:0px; height:300px; width: 400px;" src="media/player-meme-hashfunc.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-14">
+    <section class="slide-content"><h3 id="conclusion-">Conclusion 🎉</h3>
+<ul>
+<li>Relatively good uptime</li>
+<li>Not too easy / hard</li>
+<li>Users found vulns interesting</li>
+<li>No (known) unintended vuln</li>
+<li>Had a lot of fun</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-15">
+    <section class="slide-content"></section>
+  </div>
+  <div class="slide hidden" id="slide-16">
+    <section class="slide-content"><h3 id="slow-io-">Slow IO 🐌</h3>
+<!-- Noticed that running 'ls' on the service upload directory
+takes very long
+implementation in e.g. glibc actually pretty sane (see end slides)
+but bad cache performance / buffer not used / docker overlay fs -->
+<ul>
+<li>Enumerating files in a directory is expensive</li>
+<li>Index file per directory containing file names</li>
+<li>File locks to ensure exclusive writes</li>
+</ul>
+<p><img style="position:absolute; bottom: 30%; left:10%; width: 70% !important;" src="media/dirlist.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-17">
+    <section class="slide-content"><h3 id="investigating-readdir-">Investigating <code>readdir(..)</code> 🔍</h3>
+<!-- What makes readdir slow? actually looks like a sane implementation.
+We buffer an amount of entries and rebuffer when we run out.
+My guess is that we can buffer more with a regular file (also we have the choice).
+Better cache performance?
+Although the read is from one location, is probably just an abstraction
+Source: GLIBC 2.0.2-->
+<p><code>__readdir(..)</code>:</p>
+<p><img style="" src="media/readdir.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-18">
+    <section class="slide-content"><h3 id="investigating-readdir-">Investigating <code>readdir(..)</code> 🔍</h3>
+<p><code>__get_dir_entries(..)</code>:</p>
+<p><img style="" src="media/getdirentries.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-19">
+    <section class="slide-content"><h3 id="checker-overload">Checker Overload</h3>
+<p><img style="" src="media/stldoc_dead_r17.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-20">
+    <section class="slide-content"><h3 id="checker-overload">Checker Overload</h3>
+<p><img style="" src="media/stldoc_dead_r469.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-21">
+    <section class="slide-content"><script>
+    // var slide_headers = document.querySelectorAll(".slide-content > h3");
+    // for (var i = 0; i < slide_headers.length; i++) {
+    //     var img = document.createElement('img')
+    //     img.src = "logo.png";
+    //     img.style = "height: 2.4ex; padding-right: 10px; float:right";
+    //     slide_headers[i].append(img);
+    // }
+</script></section>
+  </div>
+
+
+
+  <script type="text/javascript">
+    /**
+ * Returns the current page number of the presentation.
+ */
+function currentPosition() {
+  return parseInt(document.querySelector('.slide:not(.hidden)').id.slice(6));
+}
+
+
+/**
+ * Navigates forward n pages
+ * If n is negative, we will navigate in reverse
+ */
+function navigate(n) {
+  var position = currentPosition();
+  var numSlides = document.getElementsByClassName('slide').length;
+
+  /* Positions are 1-indexed, so we need to add and subtract 1 */
+  var nextPosition = (position - 1 + n) % numSlides + 1;
+
+  /* Normalize nextPosition in-case of a negative modulo result */
+  nextPosition = (nextPosition - 1 + numSlides) % numSlides + 1;
+
+  document.getElementById('slide-' + position).classList.add('hidden');
+  document.getElementById('slide-' + nextPosition).classList.remove('hidden');
+
+  updateProgress();
+  updateURL();
+  updateTabIndex();
+}
+
+
+/**
+ * Updates the current URL to include a hashtag of the current page number.
+ */
+function updateURL() {
+  try {
+    window.history.replaceState({} , null, '#' + currentPosition());
+  } catch (e) {
+    window.location.hash = currentPosition();
+  }
+}
+
+
+/**
+ * Sets the progress indicator.
+ */
+function updateProgress() {
+  var progressBar = document.querySelector('.progress-bar');
+
+  if (progressBar !== null) {
+    var numSlides = document.getElementsByClassName('slide').length;
+    var position = currentPosition() - 1;
+    var percent = (numSlides === 1) ? 100 : 100 * position / (numSlides - 1);
+    progressBar.style.width = percent.toString() + '%';
+  }
+}
+
+
+/**
+ * Removes tabindex property from all links on the current slide, sets
+ * tabindex = -1 for all links on other slides. Prevents slides from appearing
+ * out of control.
+ */
+function updateTabIndex() {
+  var allLinks = document.querySelectorAll('.slide a');
+  var position = currentPosition();
+  var currentPageLinks = document.getElementById('slide-' + position).querySelectorAll('a');
+  var i;
+
+  for (i = 0; i < allLinks.length; i++) {
+    allLinks[i].setAttribute('tabindex', -1);
+  }
+
+  for (i = 0; i < currentPageLinks.length; i++) {
+    currentPageLinks[i].removeAttribute('tabindex');
+  }
+}
+
+/**
+ * Determines whether or not we are currently in full screen mode
+ */
+function isFullScreen() {
+  return document.fullscreenElement ||
+         document.mozFullScreenElement ||
+         document.webkitFullscreenElement ||
+         document.msFullscreenElement;
+}
+
+/**
+ * Toggle fullScreen mode on document element.
+ * Works on chrome (>= 15), firefox (>= 9), ie (>= 11), opera(>= 12.1), safari (>= 5).
+ */
+function toggleFullScreen() {
+  /* Convenient renames */
+  var docElem = document.documentElement;
+  var doc = document;
+
+  docElem.requestFullscreen =
+      docElem.requestFullscreen ||
+      docElem.msRequestFullscreen ||
+      docElem.mozRequestFullScreen ||
+      docElem.webkitRequestFullscreen.bind(docElem, Element.ALLOW_KEYBOARD_INPUT);
+
+  doc.exitFullscreen =
+      doc.exitFullscreen ||
+      doc.msExitFullscreen ||
+      doc.mozCancelFullScreen ||
+      doc.webkitExitFullscreen;
+
+  isFullScreen() ? doc.exitFullscreen() : docElem.requestFullscreen();
+}
+
+document.addEventListener('DOMContentLoaded', function () {
+  // Update the tabindex to prevent weird slide transitioning
+  updateTabIndex();
+
+  // If the location hash specifies a page number, go to it.
+  var page = window.location.hash.slice(1);
+  if (page) {
+    navigate(parseInt(page) - 1);
+  }
+
+  document.onkeydown = function (e) {
+    var kc = e.keyCode;
+
+    // left, down, H, J, backspace, PgUp - BACK
+    // up, right, K, L, space, PgDn - FORWARD
+    // enter - FULLSCREEN
+    if (kc === 37 || kc === 40 || kc === 8 || kc === 72 || kc === 74 || kc === 33) {
+      navigate(-1);
+    } else if (kc === 38 || kc === 39 || kc === 32 || kc === 75 || kc === 76 || kc === 34) {
+      navigate(1);
+    } else if (kc === 13) {
+      toggleFullScreen();
+    }
+  };
+
+  if (document.querySelector('.next') && document.querySelector('.prev')) {
+    document.querySelector('.next').onclick = function (e) {
+      e.preventDefault();
+      navigate(1);
+    };
+
+    document.querySelector('.prev').onclick = function (e) {
+      e.preventDefault();
+      navigate(-1);
+    };
+  }
+});
+
+
+  </script>
+</body>
+</html>
diff --git a/documentation/slides-final/media/dirlist.png b/documentation/slides-final/media/dirlist.png
new file mode 100644
index 0000000..68985ad
Binary files /dev/null and b/documentation/slides-final/media/dirlist.png differ
diff --git a/documentation/slides-final/media/enowars5-timeout.png b/documentation/slides-final/media/enowars5-timeout.png
new file mode 100644
index 0000000..2dfecb2
Binary files /dev/null and b/documentation/slides-final/media/enowars5-timeout.png differ
diff --git a/documentation/slides-final/media/enowars5.png b/documentation/slides-final/media/enowars5.png
new file mode 100644
index 0000000..4dbba87
Binary files /dev/null and b/documentation/slides-final/media/enowars5.png differ
diff --git a/documentation/slides-final/media/exploit-1-1.png b/documentation/slides-final/media/exploit-1-1.png
new file mode 100644
index 0000000..b251075
Binary files /dev/null and b/documentation/slides-final/media/exploit-1-1.png differ
diff --git a/documentation/slides-final/media/exploit-1-2.png b/documentation/slides-final/media/exploit-1-2.png
new file mode 100644
index 0000000..e63f7d0
Binary files /dev/null and b/documentation/slides-final/media/exploit-1-2.png differ
diff --git a/documentation/slides-final/media/exploit-1-3.png b/documentation/slides-final/media/exploit-1-3.png
new file mode 100644
index 0000000..4dc961d
Binary files /dev/null and b/documentation/slides-final/media/exploit-1-3.png differ
diff --git a/documentation/slides-final/media/exploit-1-4.png b/documentation/slides-final/media/exploit-1-4.png
new file mode 100644
index 0000000..2d75f2f
Binary files /dev/null and b/documentation/slides-final/media/exploit-1-4.png differ
diff --git a/documentation/slides-final/media/exploit-1-5.png b/documentation/slides-final/media/exploit-1-5.png
new file mode 100644
index 0000000..874529b
Binary files /dev/null and b/documentation/slides-final/media/exploit-1-5.png differ
diff --git a/documentation/slides-final/media/exploit-2-1.png b/documentation/slides-final/media/exploit-2-1.png
new file mode 100644
index 0000000..91b0df7
Binary files /dev/null and b/documentation/slides-final/media/exploit-2-1.png differ
diff --git a/documentation/slides-final/media/getdirentries.png b/documentation/slides-final/media/getdirentries.png
new file mode 100644
index 0000000..e19c3e7
Binary files /dev/null and b/documentation/slides-final/media/getdirentries.png differ
diff --git a/documentation/slides-final/media/player-meme-hashfunc.png b/documentation/slides-final/media/player-meme-hashfunc.png
new file mode 100644
index 0000000..04077ca
Binary files /dev/null and b/documentation/slides-final/media/player-meme-hashfunc.png differ
diff --git a/documentation/slides-final/media/player-meme-struggling.png b/documentation/slides-final/media/player-meme-struggling.png
new file mode 100644
index 0000000..9863892
Binary files /dev/null and b/documentation/slides-final/media/player-meme-struggling.png differ
diff --git a/documentation/slides-final/media/readdir.png b/documentation/slides-final/media/readdir.png
new file mode 100644
index 0000000..a211c1f
Binary files /dev/null and b/documentation/slides-final/media/readdir.png differ
diff --git a/documentation/slides-final/media/readdir_more.png b/documentation/slides-final/media/readdir_more.png
new file mode 100644
index 0000000..c24c582
Binary files /dev/null and b/documentation/slides-final/media/readdir_more.png differ
diff --git a/documentation/slides-final/media/search.gif b/documentation/slides-final/media/search.gif
new file mode 100644
index 0000000..de4ed18
Binary files /dev/null and b/documentation/slides-final/media/search.gif differ
diff --git a/documentation/slides-final/media/socat.gif b/documentation/slides-final/media/socat.gif
new file mode 100644
index 0000000..38f1e93
Binary files /dev/null and b/documentation/slides-final/media/socat.gif differ
diff --git a/documentation/slides-final/media/stl1.png b/documentation/slides-final/media/stl1.png
new file mode 100644
index 0000000..cef284a
Binary files /dev/null and b/documentation/slides-final/media/stl1.png differ
diff --git a/documentation/slides-final/media/stl2.png b/documentation/slides-final/media/stl2.png
new file mode 100644
index 0000000..1201981
Binary files /dev/null and b/documentation/slides-final/media/stl2.png differ
diff --git a/documentation/slides-final/media/stl3.png b/documentation/slides-final/media/stl3.png
new file mode 100644
index 0000000..49045cc
Binary files /dev/null and b/documentation/slides-final/media/stl3.png differ
diff --git a/documentation/slides-final/media/stldoc.png b/documentation/slides-final/media/stldoc.png
new file mode 100644
index 0000000..f276ef7
Binary files /dev/null and b/documentation/slides-final/media/stldoc.png differ
diff --git a/documentation/slides-final/media/stldoc_dead.png b/documentation/slides-final/media/stldoc_dead.png
new file mode 100644
index 0000000..6838fbf
Binary files /dev/null and b/documentation/slides-final/media/stldoc_dead.png differ
diff --git a/documentation/slides-final/media/stldoc_dead_offline.png b/documentation/slides-final/media/stldoc_dead_offline.png
new file mode 100644
index 0000000..8cc3faa
Binary files /dev/null and b/documentation/slides-final/media/stldoc_dead_offline.png differ
diff --git a/documentation/slides-final/media/stldoc_dead_r17.png b/documentation/slides-final/media/stldoc_dead_r17.png
new file mode 100644
index 0000000..0fef751
Binary files /dev/null and b/documentation/slides-final/media/stldoc_dead_r17.png differ
diff --git a/documentation/slides-final/media/stldoc_dead_r432.png b/documentation/slides-final/media/stldoc_dead_r432.png
new file mode 100644
index 0000000..5985a1a
Binary files /dev/null and b/documentation/slides-final/media/stldoc_dead_r432.png differ
diff --git a/documentation/slides-final/media/stldoc_dead_r469.png b/documentation/slides-final/media/stldoc_dead_r469.png
new file mode 100644
index 0000000..d202b69
Binary files /dev/null and b/documentation/slides-final/media/stldoc_dead_r469.png differ
diff --git a/documentation/slides-final/slides.md b/documentation/slides-final/slides.md
new file mode 100644
index 0000000..54b1fa8
--- /dev/null
+++ b/documentation/slides-final/slides.md
@@ -0,0 +1,253 @@
+title: STLDoctor
+output: index.html
+controls: false
+
+--
+
+<style>
+
+.footnote {
+	font-size: 16pt;
+	position: absolute;
+	color: gray;
+	bottom: 0px;
+	right: 0px;
+}
+
+.slide-content {
+	position: relative;
+}
+
+.slide-content > ul >li {
+	padding: 7px 0px;
+}
+
+.slide-content > p > img {
+	width: 100%;
+}
+
+</style>
+
+--
+
+<!-- Recap of the service and the problems I
+encountered preparing for the CTF and during the CTF -->
+
+# STLDoctor 💉
+
+--
+
+### Index 🗄️
+
+- Service recap
+- Optimization
+- ENOWARS 5
+- Reflection
+
+--
+
+### Refreshing Memories 💾
+
+- Plaintext service written in C
+- Users upload STL files for parsing
+- Private and public storage (2 flagstores)
+- 1. Vuln: Deserialization
+- 2. Vuln: Hash preimage
+
+<img style="width:300px !important; height:240px; position:absolute; bottom:80px; right:70px;" src="media/stldoc.png">
+
+--
+
+### Since Last Meeting ⏩
+
+<!-- Of these three, we want to take a closer look
+at the performance improvements necessary -->
+
+- Performance improvements
+- Added service fluff
+
+<img id=img1 src="media/stl1.png">
+<img id=img2 src="media/stl2.png">
+<img id=img3 src="media/stl3.png">
+
+<style>
+	#img1 {
+		position: absolute;
+		left: 2.5%;
+		bottom: 7%;
+		width: 30%;
+	}
+	#img2 {
+		position: absolute;
+		left: 35%;
+		bottom: 7%;
+		width: 30%;
+	}
+	#img3 {
+		position: absolute;
+		left: 67.5%;
+		bottom: 7%;
+		width: 30%;
+	}
+</style>
+
+--
+
+### Issues 😒
+
+<!-- since there were some slow io operations and
+either memory leak issues with pwnlib (witout patch)
+or engine request issues with the patch,
+sooo I decided to refactor to use enochecker3 for asyncio
+
+also noticed that I was checking the same thing multiple times
+in the checker, so tried to condense functionality -->
+
+- Slow search / list operations
+- Enochecker memory leak without patch
+- Engine error on worker restart with patch
+- Logs not showing up in ELK
+
+--
+
+### Solutions 💡
+
+- Index files with locks for directory listing
+- Refactored checker for asyncio
+- Condensed checker functionality
+- Increase docker-compose log size
+
+--
+
+# ENOWARS 5
+
+--
+
+### OSError 💢
+
+- Checker throws `INTERNAL_ERROR` on bad connection
+- Fixed in c97789ad.. of enochecker3
+
+<img style="" src="media/stldoc_dead_offline.png">
+
+--
+
+### Checker Overload 💥
+
+<!-- all of a sudden all checker tasks are being aborted.
+Since all tasks were aborted, all workers must be affected
+and a blockage of a single worker could not have been the
+cause.. 
+During the ctf we found the checker at high load..
+Suspected that OFFLINE/unresponsive teams could be slowing
+down the service since then the timeouts are too large and the
+queue couldnt be emptied fast enough -->
+
+- Checker tasks being aborted for every team
+
+<img style="height: 80%" src="media/stldoc_dead_r432.png">
+
+--
+
+### Checker Overload 💥
+
+<!-- MEME CREDIT: Liikt -->
+<img style="height: 80%" src="media/stldoc_dead.png">
+
+--
+
+### Anomaly 👽
+
+<!-- service didnt timeout except on vulnboxes where everything
+seemed to be running weirdly, so unsure how to debug -->
+
+<img style="" src="media/enowars5-timeout.png">
+
+--
+
+### Feedback 🤔
+
+- 1. flagstore exploited after ~4h (R190)
+- 2. flagstore not exploited
+
+<!-- MEME CREDIT: [KuK] cluosh -->
+<img style="position:absolute; right:0px; height:300px; width:450px" src="media/player-meme-struggling.png">
+<img style="position:absolute; left:0px; height:300px; width: 400px;" src="media/player-meme-hashfunc.png">
+
+--
+
+### Conclusion 🎉
+
+- Relatively good uptime
+- Not too easy / hard
+- Users found vulns interesting
+- No (known) unintended vuln
+- Had a lot of fun
+
+--
+
+--
+
+### Slow IO 🐌
+
+<!-- Noticed that running 'ls' on the service upload directory
+takes very long
+implementation in e.g. glibc actually pretty sane (see end slides)
+but bad cache performance / buffer not used / docker overlay fs -->
+
+- Enumerating files in a directory is expensive
+- Index file per directory containing file names
+- File locks to ensure exclusive writes
+
+<img style="position:absolute; bottom: 30%; left:10%; width: 70% !important;" src="media/dirlist.png">
+
+--
+
+### Investigating `readdir(..)` 🔍
+
+<!-- What makes readdir slow? actually looks like a sane implementation.
+We buffer an amount of entries and rebuffer when we run out.
+My guess is that we can buffer more with a regular file (also we have the choice).
+Better cache performance?
+Although the read is from one location, is probably just an abstraction
+Source: GLIBC 2.0.2-->
+
+`__readdir(..)`:
+
+<img style="" src="media/readdir.png">
+
+--
+
+### Investigating `readdir(..)` 🔍
+
+`__get_dir_entries(..)`:
+
+<img style="" src="media/getdirentries.png">
+
+--
+
+### Checker Overload
+
+<img style="" src="media/stldoc_dead_r17.png">
+
+--
+
+### Checker Overload
+
+<img style="" src="media/stldoc_dead_r469.png">
+
+--
+
+
+
+
+
+<script>
+	// var slide_headers = document.querySelectorAll(".slide-content > h3");
+	// for (var i = 0; i < slide_headers.length; i++) {
+	// 	var img = document.createElement('img')
+	// 	img.src = "logo.png";
+	// 	img.style = "height: 2.4ex; padding-right: 10px; float:right";
+	// 	slide_headers[i].append(img);
+	// }
+</script>
diff --git a/documentation/slides-final/stldoctor.pdf b/documentation/slides-final/stldoctor.pdf
new file mode 100644
index 0000000..6667621
Binary files /dev/null and b/documentation/slides-final/stldoctor.pdf differ
diff --git a/documentation/slides-intro/.gitignore b/documentation/slides-intro/.gitignore
new file mode 100644
index 0000000..e4e7469
--- /dev/null
+++ b/documentation/slides-intro/.gitignore
@@ -0,0 +1 @@
+slides
diff --git a/documentation/slides-intro/index.html b/documentation/slides-intro/index.html
new file mode 100644
index 0000000..cc0aa6a
--- /dev/null
+++ b/documentation/slides-intro/index.html
@@ -0,0 +1,699 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0">
+  <title>STLDoctor</title>
+  <style type="text/css">
+    body {
+  font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif;
+  color: #222;
+  font-size: 100%;
+}
+
+.slide {
+  position: absolute;
+  top: 0; bottom: 0;
+  left: 0; right: 0;
+  background-color: #f7f7f7;
+}
+
+.slide-content {
+  width: 800px;
+  height: 600px;
+  overflow: hidden;
+  margin: 80px auto 0 auto;
+  padding: 30px;
+
+  font-weight: 200;
+  font-size: 200%;
+  line-height: 1.375;
+}
+
+.controls {
+  position: absolute;
+  bottom: 20px;
+  left: 20px;
+}
+
+.arrow {
+  width: 0; height: 0;
+  border: 30px solid #333;
+  float: left;
+  margin-right: 30px;
+
+  -webkit-touch-callout: none;
+  -webkit-user-select: none;
+  -khtml-user-select: none;
+  -moz-user-select: none;
+  -ms-user-select: none;
+  user-select: none;
+}
+
+.prev {
+  border-top-color: transparent;
+  border-bottom-color: transparent;
+  border-left-color: transparent;
+
+  border-left-width: 0;
+  border-right-width: 50px;
+}
+
+.next {
+  border-top-color: transparent;
+  border-bottom-color: transparent;
+  border-right-color: transparent;
+
+  border-left-width: 50px;
+  border-right-width: 0;
+}
+
+.prev:hover {
+  border-right-color: #888;
+  cursor: pointer;
+}
+
+.next:hover {
+  border-left-color: #888;
+  cursor: pointer;
+}
+
+h1 {
+  font-size: 300%;
+  line-height: 1.2;
+  text-align: center;
+  margin: 170px 0 0;
+}
+
+h2 {
+  font-size: 100%;
+  line-height: 1.2;
+  margin: 5px 0;
+  text-align: center;
+  font-weight: 200;
+}
+
+h3 {
+  font-size: 140%;
+  line-height: 1.2;
+  border-bottom: 1px solid #aaa;
+  margin: 0;
+  padding-bottom: 15px;
+}
+
+ul {
+  padding: 20px 0 0 60px;
+  font-weight: 200;
+  line-height: 1.375;
+}
+
+.author h1 {
+  font-size: 170%;
+  font-weight: 200;
+  text-align: center;
+  margin-bottom: 30px;
+}
+
+.author h3 {
+  font-weight: 100;
+  text-align: center;
+  font-size: 95%;
+  border: none;
+}
+
+a {
+  text-decoration: none;
+  color: #44a4dd;
+}
+
+a:hover {
+  color: #66b5ff;
+}
+
+pre {
+  font-size: 60%;
+  line-height: 1.3;
+}
+
+.progress {
+  position: fixed;
+  top: 0; left: 0; right: 0;
+  height: 3px;
+  z-index: 1;
+}
+
+.progress-bar {
+  width: 0%;
+  height: 3px;
+  background-color: #b4b4b4;
+
+  -webkit-transition: width 0.05s ease-out;
+  -moz-transition: width 0.05s ease-out;
+  -o-transition: width 0.05s ease-out;
+  transition: width 0.05s ease-out;
+}
+
+.hidden {
+  display: none;
+}
+
+@media (max-width: 850px) {
+
+  body {
+    font-size: 70%;
+  }
+
+  .slide-content {
+    width: auto;
+  }
+
+  img {
+    width: 100%;
+  }
+
+  h1 {
+    margin-top: 120px;
+  }
+
+  .prev, .prev:hover {
+    border-right-color: rgba(135, 135, 135, 0.5);
+  }
+
+  .next, .next:hover {
+    border-left-color: rgba(135, 135, 135, 0.5);
+  }
+}
+
+@media (max-width: 480px) {
+  body {
+    font-size: 50%;
+    overflow: hidden;
+  }
+
+  .slide-content {
+    padding: 10px;
+    margin-top: 10px;
+    height: 340px;
+  }
+
+  h1 {
+    margin-top: 50px;
+  }
+
+  ul {
+    padding-left: 25px;
+  }
+}
+
+@media print {
+  * {
+    -webkit-print-color-adjust: exact;
+  }
+
+  @page {
+    size: letter;
+  }
+
+  .hidden {
+    display: inline;
+  }
+
+  html {
+    width: 100%;
+    height: 100%;
+    overflow: visible;
+  }
+
+  body {
+    margin: 0 auto !important;
+    border: 0;
+    padding: 0;
+    float: none !important;
+    overflow: visible;
+    background: none !important;
+    font-size: 52%;
+  }
+
+  .progress, .controls {
+    display: none;
+  }
+
+  .slide {
+    position: static;
+  }
+
+  .slide-content {
+    border: 1px solid #222;
+    margin-top: 0;
+    margin-bottom: 40px;
+    height: 3.5in;
+    overflow: visible;
+  }
+
+  .slide:nth-child(even) {
+    /* 2 slides per page */
+    page-break-before: always;
+  }
+}
+
+/*
+
+github.com style (c) Vasily Polovnyov <vast@whiteants.net>
+
+*/
+
+.hljs {
+  display: block;
+  overflow-x: auto;
+  padding: 0.5em;
+  color: #333;
+  background: #f8f8f8;
+}
+
+.hljs-comment,
+.hljs-quote {
+  color: #998;
+  font-style: italic;
+}
+
+.hljs-keyword,
+.hljs-selector-tag,
+.hljs-subst {
+  color: #333;
+  font-weight: bold;
+}
+
+.hljs-number,
+.hljs-literal,
+.hljs-variable,
+.hljs-template-variable,
+.hljs-tag .hljs-attr {
+  color: #008080;
+}
+
+.hljs-string,
+.hljs-doctag {
+  color: #d14;
+}
+
+.hljs-title,
+.hljs-section,
+.hljs-selector-id {
+  color: #900;
+  font-weight: bold;
+}
+
+.hljs-subst {
+  font-weight: normal;
+}
+
+.hljs-type,
+.hljs-class .hljs-title {
+  color: #458;
+  font-weight: bold;
+}
+
+.hljs-tag,
+.hljs-name,
+.hljs-attribute {
+  color: #000080;
+  font-weight: normal;
+}
+
+.hljs-regexp,
+.hljs-link {
+  color: #009926;
+}
+
+.hljs-symbol,
+.hljs-bullet {
+  color: #990073;
+}
+
+.hljs-built_in,
+.hljs-builtin-name {
+  color: #0086b3;
+}
+
+.hljs-meta {
+  color: #999;
+  font-weight: bold;
+}
+
+.hljs-deletion {
+  background: #fdd;
+}
+
+.hljs-addition {
+  background: #dfd;
+}
+
+.hljs-emphasis {
+  font-style: italic;
+}
+
+.hljs-strong {
+  font-weight: bold;
+}
+
+
+  </style>
+    <script async src="http://localhost:35729/livereload.js"></script>
+</head>
+<body>
+    <div class="progress">
+    <div class="progress-bar"></div>
+  </div>
+
+  <div class="slide" id="slide-1">
+    <section class="slide-content"><style>
+
+.footnote {
+    font-size: 16pt;
+    position: absolute;
+    color: gray;
+    bottom: 0px;
+    right: 0px;
+}
+
+.slide-content {
+    position: relative;
+}
+
+.slide-content > ul >li {
+    padding: 7px 0px;
+}
+
+.slide-content > p > img {
+    width: 100%;
+}
+
+</style></section>
+  </div>
+  <div class="slide hidden" id="slide-2">
+    <section class="slide-content"><h1 id="stldoctor-">STLDoctor 💉</h1>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-3">
+    <section class="slide-content"><h3 id="the-plan-">The Plan 💡</h3>
+<!-- Familiar with C and wondered about non-standard
+     buffer-/integer overflow C bugs -->
+<!-- Plaintext file inspection service -->
+<!-- Interesting and realisitic bugs -->
+<!-- Written in C -->
+<!-- Have to combine 'gadgets' for exploit, but
+     as a logic bug, not RCE -->
+<ul>
+<li>Plaintext service</li>
+<li>Interesting C bugs</li>
+<li>Exploit logic bugs, not RCE</li>
+<li>Learn about the STL format</li>
+</ul>
+<p><img style="width: 240px !important; transform: rotate(90deg); height: 240px; position:absolute; top:150px; right:70px;" src="https://upload.wikimedia.org/wikipedia/commons/9/9b/STL_sample_2.png"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-4">
+    <section class="slide-content"><h3 id="setup-">Setup 🔧</h3>
+<ul>
+<li>C binary that communicates via <code>stdin</code> and <code>stdout</code></li>
+<li>Networking abstracted through hosting with <code>socat</code></li>
+<li>File system backend with periodic clean up</li>
+</ul>
+<p><img src="media/socat.gif" alt="socat"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-5">
+    <section class="slide-content"><h3 id="functionality-">Functionality 🎮</h3>
+<!-- file system backend separates user accounts and stl files location for non-guests -->
+<!-- guest account files can be downloaded by knowing their modelname,
+     premium account files can only be downloaded by authenticated users -->
+<ul>
+<li>Users can upload and search for files</li>
+<li>Register to upload private files</li>
+<li>Uploaded files are analyzed and information is returned to the user</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden -" id="slide-6">
+    <section class="slide-content"><!-- Sample interaction demonstrating how you would retrieve a file you uploaded -->
+<p><img src="media/search.gif" alt="FileSearch"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-7">
+    <section class="slide-content"><h3 id="1-vuln-">1. Vuln 💉</h3>
+<ul>
+<li>Flags are stored in the solidname of the STL</li>
+<li>Bug in upload info file parsing allows attacker to retrieve any public file</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-8">
+    <section class="slide-content"><h3 id="2-vuln-">2. Vuln 💉</h3>
+<ul>
+<li>Flags are stored in the solidname of a private file</li>
+<li>Buffer overflow in hash function allows enumeration of private user hashes</li>
+<li>Generate preimages of weak hash function to login as users</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-9">
+    <section class="slide-content"><h3 id="goals-met-">Goals Met 🎉</h3>
+<!-- dont need to be an expert at fancy exploitation to exploit,
+     just basic knowledge of C and testing code snippets to see
+     if they do what you expect them to in different cases -->
+<p>⭐ Plaintext file inspection service <br>
+⭐ Interesting and realisitic bugs <br>
+⭐ Combine different gadgets for exploit <br>
+⭐ Don&#39;t need to be an expert at fancy ROP <br>
+⭐ No SLA lost in TestCTF <br>
+⭐ Written in C</p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-10">
+    <section class="slide-content"><h3 id="issues-">Issues 📉</h3>
+<!-- Currently, the exploits dont require you to understand the
+    STL file format, however, to make sure that the service
+    is working correctly, you need to inspect the code -->
+<!-- Still considering encoding of flags as STL, but want to
+    avoid -->
+<p>💥 Exploits not directly related to STL format <br>
+💥 (Eno)checker has memory leaks</p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-11">
+    <section class="slide-content"><h3 id="lesssons-learned">Lesssons Learned</h3>
+<!-- from the feedback I gathered, that not a lot of people write C code
+     often, but this also means it is a great opportunity for learning
+     something new. -->
+<ul>
+<li>Many exploits are not suited for A/D ctfs</li>
+<li>How to write a FSM format parser</li>
+<li>Be careful with casts in C</li>
+<li>People just <em>love</em> C services 🤡</li>
+</ul>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-12">
+    <section class="slide-content"></section>
+  </div>
+  <div class="slide hidden" id="slide-13">
+    <section class="slide-content"></section>
+  </div>
+  <div class="slide hidden" id="slide-14">
+    <section class="slide-content"><h1 id="exploit-1">Exploit 1</h1>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-15">
+    <section class="slide-content"><p><img src="media/exploit-1-1.png" alt="exploit-1-1"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-16">
+    <section class="slide-content"><p><img src="media/exploit-1-2.png" alt="exploit-1-2"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-17">
+    <section class="slide-content"><p><img src="media/exploit-1-3.png" alt="exploit-1-3"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-18">
+    <section class="slide-content"><p><img src="media/exploit-1-4.png" alt="exploit-1-4"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-19">
+    <section class="slide-content"><p><img src="media/exploit-1-5.png" alt="exploit-1-5"></p>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-20">
+    <section class="slide-content"><h1 id="exploit-2">Exploit 2</h1>
+</section>
+  </div>
+  <div class="slide hidden" id="slide-21">
+    <section class="slide-content"><p><img src="media/exploit-2-1.png" alt="exploit-2-1"></p>
+<script>
+    // var slide_headers = document.querySelectorAll(".slide-content > h3");
+    // for (var i = 0; i < slide_headers.length; i++) {
+    //     var img = document.createElement('img')
+    //     img.src = "logo.png";
+    //     img.style = "height: 2.4ex; padding-right: 10px; float:right";
+    //     slide_headers[i].append(img);
+    // }
+</script></section>
+  </div>
+
+
+
+  <script type="text/javascript">
+    /**
+ * Returns the current page number of the presentation.
+ */
+function currentPosition() {
+  return parseInt(document.querySelector('.slide:not(.hidden)').id.slice(6));
+}
+
+
+/**
+ * Navigates forward n pages
+ * If n is negative, we will navigate in reverse
+ */
+function navigate(n) {
+  var position = currentPosition();
+  var numSlides = document.getElementsByClassName('slide').length;
+
+  /* Positions are 1-indexed, so we need to add and subtract 1 */
+  var nextPosition = (position - 1 + n) % numSlides + 1;
+
+  /* Normalize nextPosition in-case of a negative modulo result */
+  nextPosition = (nextPosition - 1 + numSlides) % numSlides + 1;
+
+  document.getElementById('slide-' + position).classList.add('hidden');
+  document.getElementById('slide-' + nextPosition).classList.remove('hidden');
+
+  updateProgress();
+  updateURL();
+  updateTabIndex();
+}
+
+
+/**
+ * Updates the current URL to include a hashtag of the current page number.
+ */
+function updateURL() {
+  try {
+    window.history.replaceState({} , null, '#' + currentPosition());
+  } catch (e) {
+    window.location.hash = currentPosition();
+  }
+}
+
+
+/**
+ * Sets the progress indicator.
+ */
+function updateProgress() {
+  var progressBar = document.querySelector('.progress-bar');
+
+  if (progressBar !== null) {
+    var numSlides = document.getElementsByClassName('slide').length;
+    var position = currentPosition() - 1;
+    var percent = (numSlides === 1) ? 100 : 100 * position / (numSlides - 1);
+    progressBar.style.width = percent.toString() + '%';
+  }
+}
+
+
+/**
+ * Removes tabindex property from all links on the current slide, sets
+ * tabindex = -1 for all links on other slides. Prevents slides from appearing
+ * out of control.
+ */
+function updateTabIndex() {
+  var allLinks = document.querySelectorAll('.slide a');
+  var position = currentPosition();
+  var currentPageLinks = document.getElementById('slide-' + position).querySelectorAll('a');
+  var i;
+
+  for (i = 0; i < allLinks.length; i++) {
+    allLinks[i].setAttribute('tabindex', -1);
+  }
+
+  for (i = 0; i < currentPageLinks.length; i++) {
+    currentPageLinks[i].removeAttribute('tabindex');
+  }
+}
+
+/**
+ * Determines whether or not we are currently in full screen mode
+ */
+function isFullScreen() {
+  return document.fullscreenElement ||
+         document.mozFullScreenElement ||
+         document.webkitFullscreenElement ||
+         document.msFullscreenElement;
+}
+
+/**
+ * Toggle fullScreen mode on document element.
+ * Works on chrome (>= 15), firefox (>= 9), ie (>= 11), opera(>= 12.1), safari (>= 5).
+ */
+function toggleFullScreen() {
+  /* Convenient renames */
+  var docElem = document.documentElement;
+  var doc = document;
+
+  docElem.requestFullscreen =
+      docElem.requestFullscreen ||
+      docElem.msRequestFullscreen ||
+      docElem.mozRequestFullScreen ||
+      docElem.webkitRequestFullscreen.bind(docElem, Element.ALLOW_KEYBOARD_INPUT);
+
+  doc.exitFullscreen =
+      doc.exitFullscreen ||
+      doc.msExitFullscreen ||
+      doc.mozCancelFullScreen ||
+      doc.webkitExitFullscreen;
+
+  isFullScreen() ? doc.exitFullscreen() : docElem.requestFullscreen();
+}
+
+document.addEventListener('DOMContentLoaded', function () {
+  // Update the tabindex to prevent weird slide transitioning
+  updateTabIndex();
+
+  // If the location hash specifies a page number, go to it.
+  var page = window.location.hash.slice(1);
+  if (page) {
+    navigate(parseInt(page) - 1);
+  }
+
+  document.onkeydown = function (e) {
+    var kc = e.keyCode;
+
+    // left, down, H, J, backspace, PgUp - BACK
+    // up, right, K, L, space, PgDn - FORWARD
+    // enter - FULLSCREEN
+    if (kc === 37 || kc === 40 || kc === 8 || kc === 72 || kc === 74 || kc === 33) {
+      navigate(-1);
+    } else if (kc === 38 || kc === 39 || kc === 32 || kc === 75 || kc === 76 || kc === 34) {
+      navigate(1);
+    } else if (kc === 13) {
+      toggleFullScreen();
+    }
+  };
+
+  if (document.querySelector('.next') && document.querySelector('.prev')) {
+    document.querySelector('.next').onclick = function (e) {
+      e.preventDefault();
+      navigate(1);
+    };
+
+    document.querySelector('.prev').onclick = function (e) {
+      e.preventDefault();
+      navigate(-1);
+    };
+  }
+});
+
+
+  </script>
+</body>
+</html>
diff --git a/documentation/slides-intro/media/exploit-1-1.png b/documentation/slides-intro/media/exploit-1-1.png
new file mode 100644
index 0000000..b251075
Binary files /dev/null and b/documentation/slides-intro/media/exploit-1-1.png differ
diff --git a/documentation/slides-intro/media/exploit-1-2.png b/documentation/slides-intro/media/exploit-1-2.png
new file mode 100644
index 0000000..e63f7d0
Binary files /dev/null and b/documentation/slides-intro/media/exploit-1-2.png differ
diff --git a/documentation/slides-intro/media/exploit-1-3.png b/documentation/slides-intro/media/exploit-1-3.png
new file mode 100644
index 0000000..4dc961d
Binary files /dev/null and b/documentation/slides-intro/media/exploit-1-3.png differ
diff --git a/documentation/slides-intro/media/exploit-1-4.png b/documentation/slides-intro/media/exploit-1-4.png
new file mode 100644
index 0000000..2d75f2f
Binary files /dev/null and b/documentation/slides-intro/media/exploit-1-4.png differ
diff --git a/documentation/slides-intro/media/exploit-1-5.png b/documentation/slides-intro/media/exploit-1-5.png
new file mode 100644
index 0000000..874529b
Binary files /dev/null and b/documentation/slides-intro/media/exploit-1-5.png differ
diff --git a/documentation/slides-intro/media/exploit-2-1.png b/documentation/slides-intro/media/exploit-2-1.png
new file mode 100644
index 0000000..91b0df7
Binary files /dev/null and b/documentation/slides-intro/media/exploit-2-1.png differ
diff --git a/documentation/slides-intro/media/search.gif b/documentation/slides-intro/media/search.gif
new file mode 100644
index 0000000..de4ed18
Binary files /dev/null and b/documentation/slides-intro/media/search.gif differ
diff --git a/documentation/slides-intro/media/socat.gif b/documentation/slides-intro/media/socat.gif
new file mode 100644
index 0000000..38f1e93
Binary files /dev/null and b/documentation/slides-intro/media/socat.gif differ
diff --git a/documentation/slides-intro/slides.md b/documentation/slides-intro/slides.md
new file mode 100644
index 0000000..48e3447
--- /dev/null
+++ b/documentation/slides-intro/slides.md
@@ -0,0 +1,184 @@
+title: STLDoctor
+output: index.html
+controls: false
+
+--
+
+<style>
+
+.footnote {
+	font-size: 16pt;
+	position: absolute;
+	color: gray;
+	bottom: 0px;
+	right: 0px;
+}
+
+.slide-content {
+	position: relative;
+}
+
+.slide-content > ul >li {
+	padding: 7px 0px;
+}
+
+.slide-content > p > img {
+	width: 100%;
+}
+
+</style>
+
+--
+
+# STLDoctor 💉
+
+--
+
+### The Plan 💡
+
+<!-- Familiar with C and wondered about non-standard
+     buffer-/integer overflow C bugs -->
+<!-- Plaintext file inspection service -->
+<!-- Interesting and realisitic bugs -->
+<!-- Written in C -->
+<!-- Have to combine 'gadgets' for exploit, but
+     as a logic bug, not RCE -->
+- Plaintext service
+- Interesting C bugs
+- Exploit logic bugs, not RCE
+- Learn about the STL format
+
+<img style="width: 240px !important; transform: rotate(90deg); height: 240px; position:absolute; top:150px; right:70px;" src="https://upload.wikimedia.org/wikipedia/commons/9/9b/STL_sample_2.png">
+
+--
+
+### Setup 🔧
+
+- C binary that communicates via `stdin` and `stdout`
+- Networking abstracted through hosting with `socat`
+- File system backend with periodic clean up
+
+![socat](media/socat.gif)
+
+--
+
+### Functionality 🎮
+
+<!-- file system backend separates user accounts and stl files location for non-guests -->
+<!-- guest account files can be downloaded by knowing their modelname,
+     premium account files can only be downloaded by authenticated users -->
+
+- Users can upload and search for files
+- Register to upload private files
+- Uploaded files are analyzed and information is returned to the user
+
+---
+
+<!-- Sample interaction demonstrating how you would retrieve a file you uploaded -->
+
+![FileSearch](media/search.gif)
+
+--
+
+### 1. Vuln 💉
+
+- Flags are stored in the solidname of the STL
+- Bug in upload info file parsing allows attacker to retrieve any public file
+
+--
+
+### 2. Vuln 💉
+
+- Flags are stored in the solidname of a private file
+- Buffer overflow in hash function allows enumeration of private user hashes
+- Generate preimages of weak hash function to login as users
+
+--
+
+### Goals Met 🎉
+
+<!-- dont need to be an expert at fancy exploitation to exploit,
+     just basic knowledge of C and testing code snippets to see
+     if they do what you expect them to in different cases -->
+
+⭐ Plaintext file inspection service <br>
+⭐ Interesting and realisitic bugs <br>
+⭐ Combine different gadgets for exploit <br>
+⭐ Don't need to be an expert at fancy ROP <br>
+⭐ No SLA lost in TestCTF <br>
+⭐ Written in C
+
+--
+
+### Issues 📉
+
+<!-- Currently, the exploits dont require you to understand the
+	STL file format, however, to make sure that the service
+	is working correctly, you need to inspect the code -->
+
+<!-- Still considering encoding of flags as STL, but want to
+	avoid -->
+
+💥 Exploits not directly related to STL format <br>
+💥 (Eno)checker has memory leaks
+
+--
+
+### Lesssons Learned 
+
+<!-- from the feedback I gathered, that not a lot of people write C code
+     often, but this also means it is a great opportunity for learning
+     something new. -->
+
+- Many exploits are not suited for A/D ctfs
+- How to write a FSM format parser
+- Be careful with casts in C
+- People just *love* C services 🤡
+
+--
+
+--
+
+--
+
+# Exploit 1
+
+--
+
+![exploit-1-1](media/exploit-1-1.png)
+
+--
+
+![exploit-1-2](media/exploit-1-2.png)
+
+--
+
+![exploit-1-3](media/exploit-1-3.png)
+
+--
+
+![exploit-1-4](media/exploit-1-4.png)
+
+--
+
+![exploit-1-5](media/exploit-1-5.png)
+
+--
+
+# Exploit 2
+
+--
+
+![exploit-2-1](media/exploit-2-1.png)
+
+
+
+<script>
+	// var slide_headers = document.querySelectorAll(".slide-content > h3");
+	// for (var i = 0; i < slide_headers.length; i++) {
+	// 	var img = document.createElement('img')
+	// 	img.src = "logo.png";
+	// 	img.style = "height: 2.4ex; padding-right: 10px; float:right";
+	// 	slide_headers[i].append(img);
+	// }
+</script>
diff --git a/documentation/slides-intro/stldoctor.pdf b/documentation/slides-intro/stldoctor.pdf
new file mode 100644
index 0000000..ddfe89b
Binary files /dev/null and b/documentation/slides-intro/stldoctor.pdf differ
diff --git a/documentation/slides/.gitignore b/documentation/slides/.gitignore
deleted file mode 100644
index e4e7469..0000000
--- a/documentation/slides/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-slides
diff --git a/documentation/slides/index.html b/documentation/slides/index.html
deleted file mode 100644
index cc0aa6a..0000000
--- a/documentation/slides/index.html
+++ /dev/null
@@ -1,699 +0,0 @@
-<!doctype html>
-<html>
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0">
-  <title>STLDoctor</title>
-  <style type="text/css">
-    body {
-  font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif;
-  color: #222;
-  font-size: 100%;
-}
-
-.slide {
-  position: absolute;
-  top: 0; bottom: 0;
-  left: 0; right: 0;
-  background-color: #f7f7f7;
-}
-
-.slide-content {
-  width: 800px;
-  height: 600px;
-  overflow: hidden;
-  margin: 80px auto 0 auto;
-  padding: 30px;
-
-  font-weight: 200;
-  font-size: 200%;
-  line-height: 1.375;
-}
-
-.controls {
-  position: absolute;
-  bottom: 20px;
-  left: 20px;
-}
-
-.arrow {
-  width: 0; height: 0;
-  border: 30px solid #333;
-  float: left;
-  margin-right: 30px;
-
-  -webkit-touch-callout: none;
-  -webkit-user-select: none;
-  -khtml-user-select: none;
-  -moz-user-select: none;
-  -ms-user-select: none;
-  user-select: none;
-}
-
-.prev {
-  border-top-color: transparent;
-  border-bottom-color: transparent;
-  border-left-color: transparent;
-
-  border-left-width: 0;
-  border-right-width: 50px;
-}
-
-.next {
-  border-top-color: transparent;
-  border-bottom-color: transparent;
-  border-right-color: transparent;
-
-  border-left-width: 50px;
-  border-right-width: 0;
-}
-
-.prev:hover {
-  border-right-color: #888;
-  cursor: pointer;
-}
-
-.next:hover {
-  border-left-color: #888;
-  cursor: pointer;
-}
-
-h1 {
-  font-size: 300%;
-  line-height: 1.2;
-  text-align: center;
-  margin: 170px 0 0;
-}
-
-h2 {
-  font-size: 100%;
-  line-height: 1.2;
-  margin: 5px 0;
-  text-align: center;
-  font-weight: 200;
-}
-
-h3 {
-  font-size: 140%;
-  line-height: 1.2;
-  border-bottom: 1px solid #aaa;
-  margin: 0;
-  padding-bottom: 15px;
-}
-
-ul {
-  padding: 20px 0 0 60px;
-  font-weight: 200;
-  line-height: 1.375;
-}
-
-.author h1 {
-  font-size: 170%;
-  font-weight: 200;
-  text-align: center;
-  margin-bottom: 30px;
-}
-
-.author h3 {
-  font-weight: 100;
-  text-align: center;
-  font-size: 95%;
-  border: none;
-}
-
-a {
-  text-decoration: none;
-  color: #44a4dd;
-}
-
-a:hover {
-  color: #66b5ff;
-}
-
-pre {
-  font-size: 60%;
-  line-height: 1.3;
-}
-
-.progress {
-  position: fixed;
-  top: 0; left: 0; right: 0;
-  height: 3px;
-  z-index: 1;
-}
-
-.progress-bar {
-  width: 0%;
-  height: 3px;
-  background-color: #b4b4b4;
-
-  -webkit-transition: width 0.05s ease-out;
-  -moz-transition: width 0.05s ease-out;
-  -o-transition: width 0.05s ease-out;
-  transition: width 0.05s ease-out;
-}
-
-.hidden {
-  display: none;
-}
-
-@media (max-width: 850px) {
-
-  body {
-    font-size: 70%;
-  }
-
-  .slide-content {
-    width: auto;
-  }
-
-  img {
-    width: 100%;
-  }
-
-  h1 {
-    margin-top: 120px;
-  }
-
-  .prev, .prev:hover {
-    border-right-color: rgba(135, 135, 135, 0.5);
-  }
-
-  .next, .next:hover {
-    border-left-color: rgba(135, 135, 135, 0.5);
-  }
-}
-
-@media (max-width: 480px) {
-  body {
-    font-size: 50%;
-    overflow: hidden;
-  }
-
-  .slide-content {
-    padding: 10px;
-    margin-top: 10px;
-    height: 340px;
-  }
-
-  h1 {
-    margin-top: 50px;
-  }
-
-  ul {
-    padding-left: 25px;
-  }
-}
-
-@media print {
-  * {
-    -webkit-print-color-adjust: exact;
-  }
-
-  @page {
-    size: letter;
-  }
-
-  .hidden {
-    display: inline;
-  }
-
-  html {
-    width: 100%;
-    height: 100%;
-    overflow: visible;
-  }
-
-  body {
-    margin: 0 auto !important;
-    border: 0;
-    padding: 0;
-    float: none !important;
-    overflow: visible;
-    background: none !important;
-    font-size: 52%;
-  }
-
-  .progress, .controls {
-    display: none;
-  }
-
-  .slide {
-    position: static;
-  }
-
-  .slide-content {
-    border: 1px solid #222;
-    margin-top: 0;
-    margin-bottom: 40px;
-    height: 3.5in;
-    overflow: visible;
-  }
-
-  .slide:nth-child(even) {
-    /* 2 slides per page */
-    page-break-before: always;
-  }
-}
-
-/*
-
-github.com style (c) Vasily Polovnyov <vast@whiteants.net>
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  color: #333;
-  background: #f8f8f8;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #998;
-  font-style: italic;
-}
-
-.hljs-keyword,
-.hljs-selector-tag,
-.hljs-subst {
-  color: #333;
-  font-weight: bold;
-}
-
-.hljs-number,
-.hljs-literal,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-tag .hljs-attr {
-  color: #008080;
-}
-
-.hljs-string,
-.hljs-doctag {
-  color: #d14;
-}
-
-.hljs-title,
-.hljs-section,
-.hljs-selector-id {
-  color: #900;
-  font-weight: bold;
-}
-
-.hljs-subst {
-  font-weight: normal;
-}
-
-.hljs-type,
-.hljs-class .hljs-title {
-  color: #458;
-  font-weight: bold;
-}
-
-.hljs-tag,
-.hljs-name,
-.hljs-attribute {
-  color: #000080;
-  font-weight: normal;
-}
-
-.hljs-regexp,
-.hljs-link {
-  color: #009926;
-}
-
-.hljs-symbol,
-.hljs-bullet {
-  color: #990073;
-}
-
-.hljs-built_in,
-.hljs-builtin-name {
-  color: #0086b3;
-}
-
-.hljs-meta {
-  color: #999;
-  font-weight: bold;
-}
-
-.hljs-deletion {
-  background: #fdd;
-}
-
-.hljs-addition {
-  background: #dfd;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
-
-
-  </style>
-    <script async src="http://localhost:35729/livereload.js"></script>
-</head>
-<body>
-    <div class="progress">
-    <div class="progress-bar"></div>
-  </div>
-
-  <div class="slide" id="slide-1">
-    <section class="slide-content"><style>
-
-.footnote {
-    font-size: 16pt;
-    position: absolute;
-    color: gray;
-    bottom: 0px;
-    right: 0px;
-}
-
-.slide-content {
-    position: relative;
-}
-
-.slide-content > ul >li {
-    padding: 7px 0px;
-}
-
-.slide-content > p > img {
-    width: 100%;
-}
-
-</style></section>
-  </div>
-  <div class="slide hidden" id="slide-2">
-    <section class="slide-content"><h1 id="stldoctor-">STLDoctor 💉</h1>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-3">
-    <section class="slide-content"><h3 id="the-plan-">The Plan 💡</h3>
-<!-- Familiar with C and wondered about non-standard
-     buffer-/integer overflow C bugs -->
-<!-- Plaintext file inspection service -->
-<!-- Interesting and realisitic bugs -->
-<!-- Written in C -->
-<!-- Have to combine 'gadgets' for exploit, but
-     as a logic bug, not RCE -->
-<ul>
-<li>Plaintext service</li>
-<li>Interesting C bugs</li>
-<li>Exploit logic bugs, not RCE</li>
-<li>Learn about the STL format</li>
-</ul>
-<p><img style="width: 240px !important; transform: rotate(90deg); height: 240px; position:absolute; top:150px; right:70px;" src="https://upload.wikimedia.org/wikipedia/commons/9/9b/STL_sample_2.png"></p>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-4">
-    <section class="slide-content"><h3 id="setup-">Setup 🔧</h3>
-<ul>
-<li>C binary that communicates via <code>stdin</code> and <code>stdout</code></li>
-<li>Networking abstracted through hosting with <code>socat</code></li>
-<li>File system backend with periodic clean up</li>
-</ul>
-<p><img src="media/socat.gif" alt="socat"></p>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-5">
-    <section class="slide-content"><h3 id="functionality-">Functionality 🎮</h3>
-<!-- file system backend separates user accounts and stl files location for non-guests -->
-<!-- guest account files can be downloaded by knowing their modelname,
-     premium account files can only be downloaded by authenticated users -->
-<ul>
-<li>Users can upload and search for files</li>
-<li>Register to upload private files</li>
-<li>Uploaded files are analyzed and information is returned to the user</li>
-</ul>
-</section>
-  </div>
-  <div class="slide hidden -" id="slide-6">
-    <section class="slide-content"><!-- Sample interaction demonstrating how you would retrieve a file you uploaded -->
-<p><img src="media/search.gif" alt="FileSearch"></p>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-7">
-    <section class="slide-content"><h3 id="1-vuln-">1. Vuln 💉</h3>
-<ul>
-<li>Flags are stored in the solidname of the STL</li>
-<li>Bug in upload info file parsing allows attacker to retrieve any public file</li>
-</ul>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-8">
-    <section class="slide-content"><h3 id="2-vuln-">2. Vuln 💉</h3>
-<ul>
-<li>Flags are stored in the solidname of a private file</li>
-<li>Buffer overflow in hash function allows enumeration of private user hashes</li>
-<li>Generate preimages of weak hash function to login as users</li>
-</ul>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-9">
-    <section class="slide-content"><h3 id="goals-met-">Goals Met 🎉</h3>
-<!-- dont need to be an expert at fancy exploitation to exploit,
-     just basic knowledge of C and testing code snippets to see
-     if they do what you expect them to in different cases -->
-<p>⭐ Plaintext file inspection service <br>
-⭐ Interesting and realisitic bugs <br>
-⭐ Combine different gadgets for exploit <br>
-⭐ Don&#39;t need to be an expert at fancy ROP <br>
-⭐ No SLA lost in TestCTF <br>
-⭐ Written in C</p>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-10">
-    <section class="slide-content"><h3 id="issues-">Issues 📉</h3>
-<!-- Currently, the exploits dont require you to understand the
-    STL file format, however, to make sure that the service
-    is working correctly, you need to inspect the code -->
-<!-- Still considering encoding of flags as STL, but want to
-    avoid -->
-<p>💥 Exploits not directly related to STL format <br>
-💥 (Eno)checker has memory leaks</p>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-11">
-    <section class="slide-content"><h3 id="lesssons-learned">Lesssons Learned</h3>
-<!-- from the feedback I gathered, that not a lot of people write C code
-     often, but this also means it is a great opportunity for learning
-     something new. -->
-<ul>
-<li>Many exploits are not suited for A/D ctfs</li>
-<li>How to write a FSM format parser</li>
-<li>Be careful with casts in C</li>
-<li>People just <em>love</em> C services 🤡</li>
-</ul>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-12">
-    <section class="slide-content"></section>
-  </div>
-  <div class="slide hidden" id="slide-13">
-    <section class="slide-content"></section>
-  </div>
-  <div class="slide hidden" id="slide-14">
-    <section class="slide-content"><h1 id="exploit-1">Exploit 1</h1>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-15">
-    <section class="slide-content"><p><img src="media/exploit-1-1.png" alt="exploit-1-1"></p>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-16">
-    <section class="slide-content"><p><img src="media/exploit-1-2.png" alt="exploit-1-2"></p>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-17">
-    <section class="slide-content"><p><img src="media/exploit-1-3.png" alt="exploit-1-3"></p>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-18">
-    <section class="slide-content"><p><img src="media/exploit-1-4.png" alt="exploit-1-4"></p>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-19">
-    <section class="slide-content"><p><img src="media/exploit-1-5.png" alt="exploit-1-5"></p>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-20">
-    <section class="slide-content"><h1 id="exploit-2">Exploit 2</h1>
-</section>
-  </div>
-  <div class="slide hidden" id="slide-21">
-    <section class="slide-content"><p><img src="media/exploit-2-1.png" alt="exploit-2-1"></p>
-<script>
-    // var slide_headers = document.querySelectorAll(".slide-content > h3");
-    // for (var i = 0; i < slide_headers.length; i++) {
-    //     var img = document.createElement('img')
-    //     img.src = "logo.png";
-    //     img.style = "height: 2.4ex; padding-right: 10px; float:right";
-    //     slide_headers[i].append(img);
-    // }
-</script></section>
-  </div>
-
-
-
-  <script type="text/javascript">
-    /**
- * Returns the current page number of the presentation.
- */
-function currentPosition() {
-  return parseInt(document.querySelector('.slide:not(.hidden)').id.slice(6));
-}
-
-
-/**
- * Navigates forward n pages
- * If n is negative, we will navigate in reverse
- */
-function navigate(n) {
-  var position = currentPosition();
-  var numSlides = document.getElementsByClassName('slide').length;
-
-  /* Positions are 1-indexed, so we need to add and subtract 1 */
-  var nextPosition = (position - 1 + n) % numSlides + 1;
-
-  /* Normalize nextPosition in-case of a negative modulo result */
-  nextPosition = (nextPosition - 1 + numSlides) % numSlides + 1;
-
-  document.getElementById('slide-' + position).classList.add('hidden');
-  document.getElementById('slide-' + nextPosition).classList.remove('hidden');
-
-  updateProgress();
-  updateURL();
-  updateTabIndex();
-}
-
-
-/**
- * Updates the current URL to include a hashtag of the current page number.
- */
-function updateURL() {
-  try {
-    window.history.replaceState({} , null, '#' + currentPosition());
-  } catch (e) {
-    window.location.hash = currentPosition();
-  }
-}
-
-
-/**
- * Sets the progress indicator.
- */
-function updateProgress() {
-  var progressBar = document.querySelector('.progress-bar');
-
-  if (progressBar !== null) {
-    var numSlides = document.getElementsByClassName('slide').length;
-    var position = currentPosition() - 1;
-    var percent = (numSlides === 1) ? 100 : 100 * position / (numSlides - 1);
-    progressBar.style.width = percent.toString() + '%';
-  }
-}
-
-
-/**
- * Removes tabindex property from all links on the current slide, sets
- * tabindex = -1 for all links on other slides. Prevents slides from appearing
- * out of control.
- */
-function updateTabIndex() {
-  var allLinks = document.querySelectorAll('.slide a');
-  var position = currentPosition();
-  var currentPageLinks = document.getElementById('slide-' + position).querySelectorAll('a');
-  var i;
-
-  for (i = 0; i < allLinks.length; i++) {
-    allLinks[i].setAttribute('tabindex', -1);
-  }
-
-  for (i = 0; i < currentPageLinks.length; i++) {
-    currentPageLinks[i].removeAttribute('tabindex');
-  }
-}
-
-/**
- * Determines whether or not we are currently in full screen mode
- */
-function isFullScreen() {
-  return document.fullscreenElement ||
-         document.mozFullScreenElement ||
-         document.webkitFullscreenElement ||
-         document.msFullscreenElement;
-}
-
-/**
- * Toggle fullScreen mode on document element.
- * Works on chrome (>= 15), firefox (>= 9), ie (>= 11), opera(>= 12.1), safari (>= 5).
- */
-function toggleFullScreen() {
-  /* Convenient renames */
-  var docElem = document.documentElement;
-  var doc = document;
-
-  docElem.requestFullscreen =
-      docElem.requestFullscreen ||
-      docElem.msRequestFullscreen ||
-      docElem.mozRequestFullScreen ||
-      docElem.webkitRequestFullscreen.bind(docElem, Element.ALLOW_KEYBOARD_INPUT);
-
-  doc.exitFullscreen =
-      doc.exitFullscreen ||
-      doc.msExitFullscreen ||
-      doc.mozCancelFullScreen ||
-      doc.webkitExitFullscreen;
-
-  isFullScreen() ? doc.exitFullscreen() : docElem.requestFullscreen();
-}
-
-document.addEventListener('DOMContentLoaded', function () {
-  // Update the tabindex to prevent weird slide transitioning
-  updateTabIndex();
-
-  // If the location hash specifies a page number, go to it.
-  var page = window.location.hash.slice(1);
-  if (page) {
-    navigate(parseInt(page) - 1);
-  }
-
-  document.onkeydown = function (e) {
-    var kc = e.keyCode;
-
-    // left, down, H, J, backspace, PgUp - BACK
-    // up, right, K, L, space, PgDn - FORWARD
-    // enter - FULLSCREEN
-    if (kc === 37 || kc === 40 || kc === 8 || kc === 72 || kc === 74 || kc === 33) {
-      navigate(-1);
-    } else if (kc === 38 || kc === 39 || kc === 32 || kc === 75 || kc === 76 || kc === 34) {
-      navigate(1);
-    } else if (kc === 13) {
-      toggleFullScreen();
-    }
-  };
-
-  if (document.querySelector('.next') && document.querySelector('.prev')) {
-    document.querySelector('.next').onclick = function (e) {
-      e.preventDefault();
-      navigate(1);
-    };
-
-    document.querySelector('.prev').onclick = function (e) {
-      e.preventDefault();
-      navigate(-1);
-    };
-  }
-});
-
-
-  </script>
-</body>
-</html>
diff --git a/documentation/slides/media/exploit-1-1.png b/documentation/slides/media/exploit-1-1.png
deleted file mode 100644
index b251075..0000000
Binary files a/documentation/slides/media/exploit-1-1.png and /dev/null differ
diff --git a/documentation/slides/media/exploit-1-2.png b/documentation/slides/media/exploit-1-2.png
deleted file mode 100644
index e63f7d0..0000000
Binary files a/documentation/slides/media/exploit-1-2.png and /dev/null differ
diff --git a/documentation/slides/media/exploit-1-3.png b/documentation/slides/media/exploit-1-3.png
deleted file mode 100644
index 4dc961d..0000000
Binary files a/documentation/slides/media/exploit-1-3.png and /dev/null differ
diff --git a/documentation/slides/media/exploit-1-4.png b/documentation/slides/media/exploit-1-4.png
deleted file mode 100644
index 2d75f2f..0000000
Binary files a/documentation/slides/media/exploit-1-4.png and /dev/null differ
diff --git a/documentation/slides/media/exploit-1-5.png b/documentation/slides/media/exploit-1-5.png
deleted file mode 100644
index 874529b..0000000
Binary files a/documentation/slides/media/exploit-1-5.png and /dev/null differ
diff --git a/documentation/slides/media/exploit-2-1.png b/documentation/slides/media/exploit-2-1.png
deleted file mode 100644
index 91b0df7..0000000
Binary files a/documentation/slides/media/exploit-2-1.png and /dev/null differ
diff --git a/documentation/slides/media/search.gif b/documentation/slides/media/search.gif
deleted file mode 100644
index de4ed18..0000000
Binary files a/documentation/slides/media/search.gif and /dev/null differ
diff --git a/documentation/slides/media/socat.gif b/documentation/slides/media/socat.gif
deleted file mode 100644
index 38f1e93..0000000
Binary files a/documentation/slides/media/socat.gif and /dev/null differ
diff --git a/documentation/slides/slides.md b/documentation/slides/slides.md
deleted file mode 100644
index 48e3447..0000000
--- a/documentation/slides/slides.md
+++ /dev/null
@@ -1,184 +0,0 @@
-title: STLDoctor
-output: index.html
-controls: false
-
---
-
-<style>
-
-.footnote {
-	font-size: 16pt;
-	position: absolute;
-	color: gray;
-	bottom: 0px;
-	right: 0px;
-}
-
-.slide-content {
-	position: relative;
-}
-
-.slide-content > ul >li {
-	padding: 7px 0px;
-}
-
-.slide-content > p > img {
-	width: 100%;
-}
-
-</style>
-
---
-
-# STLDoctor 💉
-
---
-
-### The Plan 💡
-
-<!-- Familiar with C and wondered about non-standard
-     buffer-/integer overflow C bugs -->
-<!-- Plaintext file inspection service -->
-<!-- Interesting and realisitic bugs -->
-<!-- Written in C -->
-<!-- Have to combine 'gadgets' for exploit, but
-     as a logic bug, not RCE -->
-- Plaintext service
-- Interesting C bugs
-- Exploit logic bugs, not RCE
-- Learn about the STL format
-
-<img style="width: 240px !important; transform: rotate(90deg); height: 240px; position:absolute; top:150px; right:70px;" src="https://upload.wikimedia.org/wikipedia/commons/9/9b/STL_sample_2.png">
-
---
-
-### Setup 🔧
-
-- C binary that communicates via `stdin` and `stdout`
-- Networking abstracted through hosting with `socat`
-- File system backend with periodic clean up
-
-![socat](media/socat.gif)
-
---
-
-### Functionality 🎮
-
-<!-- file system backend separates user accounts and stl files location for non-guests -->
-<!-- guest account files can be downloaded by knowing their modelname,
-     premium account files can only be downloaded by authenticated users -->
-
-- Users can upload and search for files
-- Register to upload private files
-- Uploaded files are analyzed and information is returned to the user
-
----
-
-<!-- Sample interaction demonstrating how you would retrieve a file you uploaded -->
-
-![FileSearch](media/search.gif)
-
---
-
-### 1. Vuln 💉
-
-- Flags are stored in the solidname of the STL
-- Bug in upload info file parsing allows attacker to retrieve any public file
-
---
-
-### 2. Vuln 💉
-
-- Flags are stored in the solidname of a private file
-- Buffer overflow in hash function allows enumeration of private user hashes
-- Generate preimages of weak hash function to login as users
-
---
-
-### Goals Met 🎉
-
-<!-- dont need to be an expert at fancy exploitation to exploit,
-     just basic knowledge of C and testing code snippets to see
-     if they do what you expect them to in different cases -->
-
-⭐ Plaintext file inspection service <br>
-⭐ Interesting and realisitic bugs <br>
-⭐ Combine different gadgets for exploit <br>
-⭐ Don't need to be an expert at fancy ROP <br>
-⭐ No SLA lost in TestCTF <br>
-⭐ Written in C
-
---
-
-### Issues 📉
-
-<!-- Currently, the exploits dont require you to understand the
-	STL file format, however, to make sure that the service
-	is working correctly, you need to inspect the code -->
-
-<!-- Still considering encoding of flags as STL, but want to
-	avoid -->
-
-💥 Exploits not directly related to STL format <br>
-💥 (Eno)checker has memory leaks
-
---
-
-### Lesssons Learned 
-
-<!-- from the feedback I gathered, that not a lot of people write C code
-     often, but this also means it is a great opportunity for learning
-     something new. -->
-
-- Many exploits are not suited for A/D ctfs
-- How to write a FSM format parser
-- Be careful with casts in C
-- People just *love* C services 🤡
-
---
-
---
-
---
-
-# Exploit 1
-
---
-
-![exploit-1-1](media/exploit-1-1.png)
-
---
-
-![exploit-1-2](media/exploit-1-2.png)
-
---
-
-![exploit-1-3](media/exploit-1-3.png)
-
---
-
-![exploit-1-4](media/exploit-1-4.png)
-
---
-
-![exploit-1-5](media/exploit-1-5.png)
-
---
-
-# Exploit 2
-
---
-
-![exploit-2-1](media/exploit-2-1.png)
-
-
-
-<script>
-	// var slide_headers = document.querySelectorAll(".slide-content > h3");
-	// for (var i = 0; i < slide_headers.length; i++) {
-	// 	var img = document.createElement('img')
-	// 	img.src = "logo.png";
-	// 	img.style = "height: 2.4ex; padding-right: 10px; float:right";
-	// 	slide_headers[i].append(img);
-	// }
-</script>
diff --git a/documentation/slides/stldoctor.pdf b/documentation/slides/stldoctor.pdf
deleted file mode 100644
index ddfe89b..0000000
Binary files a/documentation/slides/stldoctor.pdf and /dev/null differ
-- 
cgit v1.2.3-71-gd317