diff --git a/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml b/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml
new file mode 100644
index 000000000..17bdaa502
--- /dev/null
+++ b/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml
@@ -0,0 +1,77 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+	<name>Writing Exploits: Linux and Stack-smashing Buffer Overflows</name>
+  <author>Thomas Shaw</author>
+  <description>
+[Lab sheet here](https://docs.google.com/document/d/1wgxLYHkdeLknRcbzZY73xZt36TWExuu-lfIJhRuHE-I/).
+	</description>
+
+	<type>ctf-lab</type>
+  <type>lab-sheet</type>
+  <difficulty>advanced</difficulty>
+
+	<system>
+		<system_name>linux_server</system_name>
+		<base platform="linux" type="desktop" distro="Buster"/>
+
+		<input into_datastore="IP_addresses">
+			<!-- 0 linux_server-->
+			<value>172.16.0.2</value>
+			<!-- 1 kali -->
+			<value>172.16.0.3</value>
+		</input>
+
+		<!-- This system wants:
+			 - Binary challenge (no stack protections) hosted over the network with setgid
+			 - Binary challenge (no stack protections) hosted locally with setuid
+			 - Web server containing a copy of the setgid binary and .c file, serving up at http://<ip_address>:80
+		-->
+
+		<network type="private_network">
+			<input into="IP_address">
+				<datastore access="0">IP_addresses</datastore>
+			</input>
+		</network>
+	</system>
+
+	<system>
+		<system_name>kali</system_name>
+		<base distro="Kali" name="MSF"/>
+
+		<input into_datastore="kali_root_account">
+			<value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+		</input>
+
+		<!-- This system wants:
+			- Firefox to point at the web server
+		-->
+
+		<utility module_path=".*/iceweasel">
+			<input into="accounts">
+				<value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+			</input>
+			<input into="autostart">
+				<value>true</value>
+			</input>
+			<input into="start_page">
+				<datastore access="1">IP_addresses</datastore>
+			</input>
+		</utility>
+
+		<utility module_path=".*/metasploit_framework"/>
+		<utility module_path=".*/armitage"/>
+		<utility module_path=".*/exploitdb"/>
+		<utility module_path=".*/handy_cli_tools"/>
+		<utility module_path=".*/nmap"/>
+
+		<network type="private_network" >
+			<input into="IP_address">
+				<datastore access="1">IP_addresses</datastore>
+			</input>
+		</network>
+	</system>
+</scenario>