warm up

buffer overflow, no canary, address of main was leaked

re-call `printf` to print address of got entry of `printf`

```nasm
0x00000880 b800000000 mov eax, 0 # call here
0x00000885 e806feffff call sym.imp.printf
0x0000088a b800000000 mov eax, 0
0x0000088f e8adffffff call sym.vuln
0x00000894 b800000000 mov eax, 0
0x00000899 5d pop rbp
0x0000089a c3 ret
```

after leak `printf` in libc, `vuln` function would be called again

[read more](http://taqini.space/2020/05/11/Sharky-CTF-2020-pwn-wp/#give-away-2-294pt)

Original writeup (http://taqini.space/2020/05/11/Sharky-CTF-2020-pwn-wp/#give-away-2-294pt).