I’m looking for a hint on what I’m doing wrong on this challenge. I have the leak working and can call arbitrary Libc functions locally. Calls to sleep, puts etc work, if I call SYSTEM with RDI set to the address of a shell string everything seems ok on entry to the SYSTEM function (verified using gdb). However no shell is spawned and the connection closes. I’m using Pwntools is there something I have to do on the second stage which I’m missing?
Any help really appreciated? Feel I’m close but missing something obvious to get the shell?