This challenge required a ret2libc attack.

I first used write() to leak read's libc address using read's GOT entry

I then used that leaked address to find the libc version using niklasb's libc-database

I then used the libc library to find system and the string '/bin/sh's offsets

I used the leaked address to calculate the libc base address (using read's offset), then jumped back to main, re exploited the binary but this time called system('/bin/sh')

A very detailed writeup can be found on [my website](https://syedfarazabrar.com/pwn/2019/06/22/hsctf-binary-exploitation-challenges.html#storytime)

Original writeup (https://syedfarazabrar.com/pwn/2019/06/22/hsctf-binary-exploitation-challenges.html#storytime).