warm up

buffer overflow, no canary, address of main was leaked

re-call printf to print address of got entry of printf

0x00000880      b800000000     mov eax, 0             # call here
0x00000885      e806feffff     call sym.imp.printf 
0x0000088a      b800000000     mov eax, 0
0x0000088f      e8adffffff     call sym.vuln
0x00000894      b800000000     mov eax, 0
0x00000899      5d             pop rbp
0x0000089a      c3             ret

after leak printf in libc, vuln function would be called again

read more

Original writeup (http://taqini.space/2020/05/11/Sharky-CTF-2020-pwn-wp/#give-away-2-294pt).