Lecture cpp level cpp_lec02 not exploitable?

[soffensive]

It seems the binary cannot be exploited as intended:

0x08048b6d <+0>: push ebp
0x08048b6e <+1>: mov ebp,esp
0x08048b70 <+3>: and esp,0xfffffff0
0x08048b73 <+6>: sub esp,0x60
0x08048b76 <+9>: mov eax,DWORD PTR [ebp+0xc]
0x08048b79 <+12>: mov DWORD PTR [esp+0xc],eax
0x08048b7d <+16>: mov eax,gs:0x14
0x08048b83 <+22>: mov DWORD PTR [esp+0x5c],eax
0x08048b87 <+26>: xor eax,eax
0x08048b89 <+28>: lea eax,[esp+0x18]
0x08048b8d <+32>: mov DWORD PTR [esp],eax
0x08048b90 <+35>: call 0x8048cd6 <_ZN7GreeterC2Ev>
0x08048b95 <+40>: mov DWORD PTR [esp],0x8048d9c
0x08048b9c <+47>: call 0x8048a40 printf@plt
0x08048ba1 <+52>: call 0x8048c74 <_Z9doNothingv>
0x08048ba6 <+57>: lea eax,[esp+0x1c]
0x08048baa <+61>: mov DWORD PTR [esp],eax
0x08048bad <+64>: call 0x80489f0 gets@plt
0x08048bb2 <+69>: mov DWORD PTR [esp+0x4],0x8048dd9
0x08048bba <+77>: lea eax,[esp+0x1c]
0x08048bbe <+81>: mov DWORD PTR [esp],eax
0x08048bc1 <+84>: call 0x8048a60 strcmp@plt
0x08048bc6 <+89>: test eax,eax
0x08048bc8 <+91>: jne 0x8048bdd <main+112>
0x08048bca <+93>: lea eax,[esp+0x18]
0x08048bce <+97>: mov DWORD PTR [esp],eax
0x08048bd1 <+100>: call 0x8048bf6 <_Z5greetP7Greeter>
0x08048bd6 <+105>: mov eax,0x0
0x08048bdb <+110>: jmp 0x8048be2 <main+117>
0x08048bdd <+112>: mov eax,0x1
0x08048be2 <+117>: mov edx,DWORD PTR [esp+0x5c]
0x08048be6 <+121>: xor edx,DWORD PTR gs:0x14
0x08048bed <+128>: je 0x8048bf4 <main+135>
0x08048bef <+130>: call 0x8048a50 __stack_chk_fail@plt
0x08048bf4 <+135>: leave
0x08048bf5 <+136>: ret

The buffer is allocated at esp+0x1c and has a size of 0x40 (64 bytes) and thus extend up to 0x5c.
Yet, the only thing we can overflow is the stack cookie at 0x5c, how is it possible to overwrite the vtable pointer, which is allocated at 0x18?