Tags: exploit 

Rating: 2.0

You can just use the ret to plt to leak the puts libc address and then ret to main to rerun the program, and then you can calculate the system address based on the leaked puts libc address to get the libc base and then add the system offset to get the system address and then jump to system to get the shell.

working exploit is linked below.

Original writeup (https://github.com/mishrasunny174/CTF/blob/master/hsctf2019/binary%20exploitation/ComboChain/exploit.py).