App - System

Hi all.

Please, can somebody push me in direction to solution?

i’m able to control $RIP, also i can leak libc address. I’m even can modify stack to pass cmp when run the program again.
But, there are no any user input, only arg in first run. so, i can’t use leaked address. and inside elf file i can’t find valid gadgets to reopen new FD, or make syscall.
I can push pointer to the heap in *RCX 0x602010 ◂— 0x0

and can increase it few times, but this is not enough to make what i need.

Any hint? thx

Why do you need gadgets? To put some values in registers.
Think about what else could have the same side effect.

Big thank for reply, Sir.
To be honest, I didn’t expect an answer.

Any function call have side effect?