diff --git a/ESP/Jnouner_Router/README.md b/ESP/Jnouner_Router/README.md
index 37793cb..de47c90 100644
--- a/ESP/Jnouner_Router/README.md
+++ b/ESP/Jnouner_Router/README.md
@@ -58,7 +58,9 @@ a custom UDP protocol (JMP) to exfiltrate the final flag.
 
 ## Solution
 
-### Setup — Flash the firmware
+### Setup
+![esptool flashing firmware to ESP32](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/esptool_flash.png)
+ — Flash the firmware
 
 ```bash
 esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 460800 write_flash -z \
@@ -77,7 +79,9 @@ screen /dev/ttyUSB0 115200
 
 ---
 
-### Flag 1 — Console Access (100 pts)
+### Flag 1 — Console Access
+![UART admin console authentication](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/jnouned_uart.png)
+ (100 pts)
 
 The UART console presents a `jnoun-console>` prompt requiring a password.
 
@@ -101,7 +105,9 @@ Flag 1 is printed on success.
 
 ---
 
-### Flag 2 — 802.11 TX (200 pts)
+### Flag 2 — 802.11 TX
+![802.11 frame capture with flag payload](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/jnouned_wifi.png)
+ (200 pts)
 
 From the admin console, read device settings: