This pwn challenge worth 100 points.
I used a “call eax” gadget found with ROPgadget, eax points to the start of the payload so I used a little “shellcode” to add 0x32 to esp then call esp to jump in the nopsled, I found the opcodes (“\x83\xC4\x32\xFF\xD4”) with https://defuse.ca/online-x86-assembler.htm
Here is the exploit code :
We have a shell ! Challenge done !