This challenge required a ret2libc attack.
I first used write() to leak read's libc address using read's GOT entry
I then used that leaked address to find the libc version using niklasb's libc-database
I then used the libc library to find system and the string '/bin/sh's offsets
I used the leaked address to calculate the libc base address (using read's offset), then jumped back to main, re exploited the binary but this time called system('/bin/sh')
A very detailed writeup can be found on [my website](https://syedfarazabrar.com/pwn/2019/06/22/hsctf-binary-exploitation-challenges.html#storytime)