HTB Academy - Stack Based Buffer Overflow Final Assessment

Hey guys, I am struggling with the final assessment.

I’ve found the offset, checked the bad characters, and got the payload size but cannot set the EIP correctly.

When I try the following command run $(python -c 'print *blablabla* + "\x66\x66\x66\x66"'), the EIP point to 0x666666. which is expected. However, when I replace the "x66"s with the actual address of a NOPS, the EIP will become incorrect.

May I know if anyone come across the same problem and how do you solve it?