diff --git a/SUMMARY.md b/SUMMARY.md
index 8d6d18f..df67d7b 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -28,13 +28,6 @@ GitHub 地址：https://github.com/firmianay/CTF-All-In-One
     * [1.5.9 Linux 内核](doc/1.5.9_linux_kernel.md)
     * [1.5.10 Windows 内核](doc/1.5.10_windows_kernel.md)
   * [1.6 密码学基础](doc/1.6_crypto_basic.md)
-    * [1.6.1 初等数论](doc/1.6.1_number_theory.md)
-    * [1.6.2 近世代数](doc/1.6.2_modern_algebra.md)
-    * [1.6.3 流密码](doc/1.6.3_stream_cipher.md)
-    * [1.6.4 分组密码](doc/1.6.4_block_cipher.md)
-    * [1.6.5 公钥密码](doc/1.6.5_public-key_crypto.md)
-    * [1.6.6 哈希函数](doc/1.6.6_hash.md)
-    * [1.6.7 数字签名](doc/1.6.7_digital_signature.md)
   * [1.7 Android 安全基础](doc/1.7_android_basic.md)
     * [1.7.1 Android 环境搭建](doc/1.7.1_android_env.md)
     * [1.7.2 Dalvik 指令集](doc/1.7.2_dalvik.md)
@@ -154,6 +147,8 @@ GitHub 地址：https://github.com/firmianay/CTF-All-In-One
     * [6.1.21 pwn HITCONCTF2016 Secret_Holder](doc/6.1.21_pwn_hitconctf2016_secret_holder.md)
     * [6.1.22 pwn HITCONCTF2016 Sleepy_Holder](doc/6.1.22_pwn_hitconctf2016_sleepy_holder.md)
     * [6.1.23 pwn BCTF2016 bcloud](doc/6.1.23_pwn_bctf2016_bcloud.md)
+    * [6.1.24 pwn HCTF2017 babyprintf](doc/6.1.24_pwn_hctf2017_babyprintf.md)
+    * [6.1.25 pwn 34C3CTF2017 300](doc/6.1.25_pwn_34c3ctf2017_300.md)
   * Reverse
     * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
     * [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
diff --git a/doc/1.6.1_number_theory.md b/doc/1.6.1_number_theory.md
deleted file mode 100644
index dd3fb71..0000000
--- a/doc/1.6.1_number_theory.md
+++ /dev/null
@@ -1 +0,0 @@
-# 1.6.1 初等数论
diff --git a/doc/1.6.2_modern_algebra.md b/doc/1.6.2_modern_algebra.md
deleted file mode 100644
index f7dad41..0000000
--- a/doc/1.6.2_modern_algebra.md
+++ /dev/null
@@ -1 +0,0 @@
-# 1.6.2 近世代数
diff --git a/doc/1.6.3_stream_cipher.md b/doc/1.6.3_stream_cipher.md
deleted file mode 100644
index 7271594..0000000
--- a/doc/1.6.3_stream_cipher.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# 1.6.3 流密码
-
-- [流密码概述](#流密码概述)
-- [参考资料](#参考资料)
-
-
-## 流密码概述
-
-
-## 参考资料
-- [Stream cipher](https://en.wikipedia.org/wiki/Stream_cipher)
diff --git a/doc/1.6.4_block_cipher.md b/doc/1.6.4_block_cipher.md
deleted file mode 100644
index 18de5ad..0000000
--- a/doc/1.6.4_block_cipher.md
+++ /dev/null
@@ -1,57 +0,0 @@
-# 1.6.4 分组密码
-
-- [分组密码概述](#分组密码概述)
-  - [Feistel 密码结构](#feistel-密码结构)
-- [数据加密标准](#数据加密标准)
-  - [DES](#des)
-  - [3DES](#3des)
-- [高级加密标准](#高级加密标准)
-- [分组密码工作模式](#分组密码工作模式)
-  - [电子密码本模式](#电子密码本模式)
-  - [密码分组链接模式](#密码分组链接模式)
-  - [密码反馈模式](#密码反馈模式)
-  - [输出反馈模式](#输出反馈模式)
-  - [计数器模式](#计数器模式)
-- [参考资料](#参考资料)
-
-
-## 分组密码概述
-
-#### Feistel 密码结构
-Feistel 结构是分组密码的一个通用结构。其加密算法的输入是长度为 2*w* 比特的明文分组及密钥 *K*。明文分组被分为两半：![L0][1] 和 ![R0][2]
-
-![](../pic/1.6.4_feistel.png)
-
-
-## 数据加密标准
-
-#### DES
-
-#### 3DES
-
-
-## 高级加密标准
-
-
-## 分组密码工作模式
-
-#### 电子密码本模式
-
-#### 密码分组链接模式
-
-#### 密码反馈模式
-
-#### 输出反馈模式
-
-#### 计数器模式
-
-
-## 参考资料
-- [Block cipher](https://en.wikipedia.org/wiki/Block_cipher)
-- [Data Encryption Standard](https://en.wikipedia.org/wiki/Data_Encryption_Standard)
-- [Advanced Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
-- [Block cipher mode of operation](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation)
-
-
-  [1]: http://chart.apis.google.com/chart?cht=tx&chl=L_0
-  [2]: http://chart.apis.google.com/chart?cht=tx&chl=R_0
diff --git a/doc/1.6.5_public-key_crypto.md b/doc/1.6.5_public-key_crypto.md
deleted file mode 100644
index 1302356..0000000
--- a/doc/1.6.5_public-key_crypto.md
+++ /dev/null
@@ -1,12 +0,0 @@
-# 1.6.5 公钥密码
-
-- [参考资料](#参考资料)
-- [RSA](#rsa)
-
-
-## RSA
-
-
-## 参考资料
-- [Public-key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography)
-- [RSA (cryptosystem)](https://en.wikipedia.org/wiki/RSA_(cryptosystem))
diff --git a/doc/1.6.6_hash.md b/doc/1.6.6_hash.md
deleted file mode 100644
index 6cb7a2b..0000000
--- a/doc/1.6.6_hash.md
+++ /dev/null
@@ -1,7 +0,0 @@
-# 1.6.6 哈希函数
-
-- [参考资料](#参考资料)
-
-
-## 参考资料
-- [Hash function](https://en.wikipedia.org/wiki/Hash_function)
diff --git a/doc/1.6.7_digital_signature.md b/doc/1.6.7_digital_signature.md
deleted file mode 100644
index 07dc04e..0000000
--- a/doc/1.6.7_digital_signature.md
+++ /dev/null
@@ -1,7 +0,0 @@
-# 1.6.7 数字签名
-
-- [参考资料](#参考资料)
-
-
-## 参考资料
-- [Digital signature](https://en.wikipedia.org/wiki/Digital_signature)
diff --git a/doc/1.6_crypto_basic.md b/doc/1.6_crypto_basic.md
index f2898cc..929d42a 100644
--- a/doc/1.6_crypto_basic.md
+++ b/doc/1.6_crypto_basic.md
@@ -1,9 +1 @@
 # 1.6 密码学基础
-
-- [1.6.1 初等数论](1.6.1_number_theory.md)
-- [1.6.2 近世代数](1.6.2_modern_algebra.md)
-- [1.6.3 流密码](1.6.3_stream_cipher.md)
-- [1.6.4 分组密码](1.6.4_block_cipher.md)
-- [1.6.5 公钥密码](1.6.5_public-key_crypto.md)
-- [1.6.6 哈希函数](1.6.6_hash.md)
-- [1.6.7 数字签名](1.6.7_digital_signature.md)
diff --git a/doc/6.1.23_pwn_bctf2016_bcloud.md b/doc/6.1.23_pwn_bctf2016_bcloud.md
index 286a5c8..cfc7cb3 100644
--- a/doc/6.1.23_pwn_bctf2016_bcloud.md
+++ b/doc/6.1.23_pwn_bctf2016_bcloud.md
@@ -19,6 +19,7 @@ $ strings libc-2.19.so | grep "GNU C"
 GNU C Library (Ubuntu EGLIBC 2.19-0ubuntu6.7) stable release version 2.19, by Roland McGrath et al.
 Compiled by GNU CC version 4.8.2.
 ```
+32 位程序，开启了 Canary 和 NX，默认开启 ASLR。
 
 
 ## 题目解析
diff --git a/doc/6.1.24_pwn_hctf2017_babyprintf.md b/doc/6.1.24_pwn_hctf2017_babyprintf.md
new file mode 100644
index 0000000..cca2b91
--- /dev/null
+++ b/doc/6.1.24_pwn_hctf2017_babyprintf.md
@@ -0,0 +1,29 @@
+# 6.1.24 pwn HCTF2017 babyprintf
+
+- [题目复现](#题目复现)
+- [题目解析](#题目解析)
+- [漏洞利用](#漏洞利用)
+- [参考资料](#参考资料)
+
+
+[下载文件](../src/writeup/6.1.24_pwn_hctf2017_babyprintf)
+
+## 题目复现
+```
+$ file babyprintf 
+babyprintf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=5652f65b98094d8ab456eb0a54d37d9b09b4f3f6, stripped
+$ checksec -f babyprintf
+RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
+Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     1               2       babyprintf
+$ strings libc-2.24.so | grep "GNU C"
+GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
+Compiled by GNU CC version 6.3.0 20170406.
+```
+
+
+## 题目解析
+
+## 漏洞利用
+
+## 参考资料
+- https://github.com/spineee/hctf/tree/master/2017/babyprintf
diff --git a/doc/6.1.25_pwn_34c3ctf2017_300.md b/doc/6.1.25_pwn_34c3ctf2017_300.md
new file mode 100644
index 0000000..b375ff6
--- /dev/null
+++ b/doc/6.1.25_pwn_34c3ctf2017_300.md
@@ -0,0 +1,29 @@
+# 6.1.25 pwn 34C3CTF2017 300
+
+- [题目复现](#题目复现)
+- [题目解析](#题目解析)
+- [漏洞利用](#漏洞利用)
+- [参考资料](#参考资料)
+
+
+[下载文件](../src/writeup/6.1.25_pwn_34c3ctf2017_300)
+
+## 题目复现
+```
+$ file 300 
+300: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=5f43b102f0fe3f3dd770637f1d244384f6b2a1c9, not stripped
+$ checksec -f 300
+RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
+Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   Yes     0               2       300
+$ strings libc.so.6 | grep "GNU C"
+GNU C Library (Ubuntu GLIBC 2.24-9ubuntu2.2) stable release version 2.24, by Roland McGrath et al.
+Compiled by GNU CC version 6.3.0 20170406.
+```
+
+
+## 题目解析
+
+## 漏洞利用
+
+## 参考资料
+- https://ctftime.org/task/5172
diff --git a/doc/6_writeup.md b/doc/6_writeup.md
index 7610047..c6419ac 100644
--- a/doc/6_writeup.md
+++ b/doc/6_writeup.md
@@ -24,6 +24,8 @@
   * [6.1.21 pwn HITCONCTF2016 Secret_Holder](6.1.21_pwn_hitconctf2016_secret_holder.md)
   * [6.1.22 pwn HITCONCTF2016 Sleepy_Holder](6.1.22_pwn_hitconctf2016_sleepy_holder.md)
   * [6.1.23 pwn BCTF2016 bcloud](6.1.23_pwn_bctf2016_bcloud.md)
+  * [6.1.24 pwn HCTF2017 babyprintf](6.1.24_pwn_hctf2017_babyprintf.md)
+  * [6.1.25 pwn 34C3CTF2017 300](6.1.25_pwn_34c3ctf2017_300.md)
 * Reverse
   * [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
   * [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
diff --git a/src/writeup/6.1.24_pwn_hctf2017_babyprintf/babyprintf b/src/writeup/6.1.24_pwn_hctf2017_babyprintf/babyprintf
new file mode 100644
index 0000000..e74440f
Binary files /dev/null and b/src/writeup/6.1.24_pwn_hctf2017_babyprintf/babyprintf differ
diff --git a/src/writeup/6.1.24_pwn_hctf2017_babyprintf/libc-2.24.so b/src/writeup/6.1.24_pwn_hctf2017_babyprintf/libc-2.24.so
new file mode 100644
index 0000000..871b794
Binary files /dev/null and b/src/writeup/6.1.24_pwn_hctf2017_babyprintf/libc-2.24.so differ
diff --git a/src/writeup/6.1.25_pwn_34c3ctf2017_300/300 b/src/writeup/6.1.25_pwn_34c3ctf2017_300/300
new file mode 100644
index 0000000..c3d0dd4
Binary files /dev/null and b/src/writeup/6.1.25_pwn_34c3ctf2017_300/300 differ
diff --git a/src/writeup/6.1.25_pwn_34c3ctf2017_300/libc.so.6 b/src/writeup/6.1.25_pwn_34c3ctf2017_300/libc.so.6
new file mode 100644
index 0000000..871b794
Binary files /dev/null and b/src/writeup/6.1.25_pwn_34c3ctf2017_300/libc.so.6 differ