Our main() function needs to call system() and strcpy(). This is a no-PIE target, so we're looking for the addresses corresponding to <system@plt> and <strcpy@plt>. Use the disas command in gdb to investigate the main() function:
# gdb buff
(gdb) disas main
Remember that we're using strcpy() to copy our chosen bytes into memory, and system() to make an actual system command.