Lecture cpp level cpp_lec02 not exploitable?

[soffensive]

It seems the binary cannot be exploited as intended:

0x08048b6d <+0>: push ebp 0x08048b6e <+1>: mov ebp,esp 0x08048b70 <+3>: and esp,0xfffffff0 0x08048b73 <+6>: sub esp,0x60 0x08048b76 <+9>: mov eax,DWORD PTR [ebp+0xc] 0x08048b79 <+12>: mov DWORD PTR [esp+0xc],eax 0x08048b7d <+16>: mov eax,gs:0x14 0x08048b83 <+22>: mov DWORD PTR [esp+0x5c],eax 0x08048b87 <+26>: xor eax,eax 0x08048b89 <+28>: lea eax,[esp+0x18] 0x08048b8d <+32>: mov DWORD PTR [esp],eax 0x08048b90 <+35>: call 0x8048cd6 <_ZN7GreeterC2Ev> 0x08048b95 <+40>: mov DWORD PTR [esp],0x8048d9c 0x08048b9c <+47>: call 0x8048a40 printf@plt 0x08048ba1 <+52>: call 0x8048c74 <_Z9doNothingv> 0x08048ba6 <+57>: lea eax,[esp+0x1c] 0x08048baa <+61>: mov DWORD PTR [esp],eax 0x08048bad <+64>: call 0x80489f0 gets@plt 0x08048bb2 <+69>: mov DWORD PTR [esp+0x4],0x8048dd9 0x08048bba <+77>: lea eax,[esp+0x1c] 0x08048bbe <+81>: mov DWORD PTR [esp],eax 0x08048bc1 <+84>: call 0x8048a60 strcmp@plt 0x08048bc6 <+89>: test eax,eax 0x08048bc8 <+91>: jne 0x8048bdd <main+112> 0x08048bca <+93>: lea eax,[esp+0x18] 0x08048bce <+97>: mov DWORD PTR [esp],eax 0x08048bd1 <+100>: call 0x8048bf6 <_Z5greetP7Greeter> 0x08048bd6 <+105>: mov eax,0x0 0x08048bdb <+110>: jmp 0x8048be2 <main+117> 0x08048bdd <+112>: mov eax,0x1 0x08048be2 <+117>: mov edx,DWORD PTR [esp+0x5c] 0x08048be6 <+121>: xor edx,DWORD PTR gs:0x14 0x08048bed <+128>: je 0x8048bf4 <main+135> 0x08048bef <+130>: call 0x8048a50 __stack_chk_fail@plt 0x08048bf4 <+135>: leave 0x08048bf5 <+136>: ret

The buffer is allocated at esp+0x1c and has a size of 0x40 (64 bytes) and thus extend up to 0x5c. Yet, the only thing we can overflow is the stack cookie at 0x5c, how is it possible to overwrite the vtable pointer, which is allocated at 0x18?