Rating: 5.0

An easy but very unique challenge.

You are allowed to sum 5 numbers together. There is an off by one error when inputting the 5 numbers, which lets you actually input 6 numbers.

The 6th number overwrites the pointer to the `total` variable, which lets you write the sum total of the 6 numbers as a value to whatever memory location you want.

Steps to exploitation:
1. Overwrite `exit_got` to a `pop rdi; ret` gadget
2. ROP chain to leak a libc address using `puts`
3. ROP chain to call `system('/bin/sh')`

Detailed writeup at the link