After accessing level13 account, check the hint as follows.



This is attackme source code. Since attackme has a setuid. So, It is difficult to debug. 
So, I create the same file using contents of hint. then, I analyzed file that created file.



When I analyze program, I use gdb. The important part is to compare 0x123456 with the value located at ebp-12.The way to defeat the BOF in this way is called Stack Guard. 
In order to bypass, it is supposed to put the value of 0x123456 in ebp-12. 
I put a BreakPoint on main+79 and analyze it in detail.



As a result, I know that 8bytes of dummy exists between ebp-12 and  SFP. 
To bypass using RTL, I check the address of the system function, the address of /bin/sh, and whether libc applied ASLR. 
I skip how to find address above things. because I already got it at level11. 
Here is a digram of payload.