Tags: pwn 

Rating: 5.0

We are taking the following steps in order to exploit the program.
1. Leak the remote libc (puts is printed at the start, we can use [libc-database](https://github.com/niklasb/libc-database).
2. Create a soldier and give it a big enough answer_length (0x50 is enough).
3. Promote the soldier, which frees it.
4. Create a soldier again with answer_length of -1 causing malloc to fail. By doing so we will have ```soldier_struct->answer_length = -1``` and ```global_answer_length = 0x50```.
5. Promote the soldier. This time alloca won't actually allocate more memory. We can overflow into the return address and form a rop-chain.
6. Enjoy the shell :)

Original writeup (https://github.com/Thankjnv/CTF-Writeups/tree/master/HackIT-CTF-2018-Army).