Tags: pwn
Rating:
This is the same as Storytime.
I use printf to leak gets()'s libc address by doing printf(gets_got). Then using the leak, I find the libc version, find the gets offset, use that to calculate the libc base.
I then also use system and '/bin/sh's offset to calculate their addresses, then just make sure to jump back to main after the leak and re-exploit the program by calling system('/bin/sh')
exploit is shown on [my website](https://syedfarazabrar.com/pwn/2019/06/22/hsctf-binary-exploitation-challenges.html#combo-chain).
