After a few days I discovered (by trying to solve this with a friend of mine, who has arch os, while I'm on ubuntu) that he can see an instruction's address in the stack with the format string vuln. I am not able to do that in ubuntu, everything I can print with that vulnerability is junk or stack addresses, not instructions' addresses... With that address it is now easy to calculate an offset and give the program a password with which to overwrite the function pointer. Now the question is, which mode is this challenge supposed to be run with?
I am new to proper binary exploitation, and I can't figure out how to continue this challenge.
I've seen that by inserting 104 random chars in the password I can overwrite the address of the called function, so I tried to modify it but the aslr is on, so nothing happened (but segmentation faults). Then I tried to overwrite just the last byte since it seems to be static (0x89 for normal, and 0x9c for authenticated) but the string terminator did its job by placing a 0x0 in the second byte so the address was useless again.
I figured out that there is a format string vulnerability in the first print (the name one) but it doesn't seem like what I can print is going to be very helpful... So can you give me a hint? What am I missing? After discovering the format string vulnerability I thought I could leak some address from which I could take the current base for the program, or something like that, but I can't do that...