Summary:

Vulnerability in small buffer for integers, call `win()`, you can fit `/bin/sh` in the input buffer.

Original writeup (https://www.nevi.dev/2020/10/13/writeup-damctf-2020/#pwnallokay).