Hey there! I am assuming that you do not know about ret2libc attacks, but know about BOF attacks in general. I will try to explain briefly, because this is not something that can be said in a few lines.
Whenever a program makes a call to any function, it consults with what is called a PLT table, and finds out the entry in that table corresponding to that function. This entry is an address, which is a code stub that tries to find where the function exists in the currently loaded instance of libc. And where does it try to find the address of the function? In the GOT table, which also has entries corresponding to each imported function. This is the one that actually points to the function definitions in libc.
In dynamically linked binaries, the program isn't aware where the functions actually are for the first time when they are called, so consulting the PLT doesn't return the address of the function, but through a series of internal code stubs, the program makes the PLT find out the required function's address in libc (which is loaded in memory), then store it in the appropriate place in the GOT table, so that when the function is (if) needed again by the program, it does not have to look it up again, because it knows that jumping to the corresponding PLT address (which in turn calls the address in the GOT entry) will execute the function.
So, to leak the address of puts() itself in libc, we try to simulate the exact same thing that the program does. We jump to the PLT address of puts() (which means that whatever we pass in as argument will be printed to screen), and pass it the address (reference) of the GOT table entry of puts() (which points to the actual address of puts in libc). In effect, we just caused puts() to print out its own address! Clever, isn't it? Also, I chose the address of win() as the return address so that I get to send a BOF payload again for the next stage.
I hope this helped. This can be confusing to understand, so do your best understanding what's happening under the hood. then try to pwn this binary to see what you've learnt. All the best.
