Control the return address. Now we're cooking! You can overflow the buffer and return to the flag function in the program. You can view source here. And connect with it using nc saturn.picoctf.net 62849
This is a basic buffer overflow where we overwrite the return address of vuln to the address of win. See the exploit script.py for more information.