TLDR: We need to read more EEPROM but it seems to be hardcoded to prevent us from reading more than 197 bytes. However, when malloc runs out of space it returns a null pointer which overlaps with the memory mapped registers. We can craft an object that writes a string here and control all of the registers. This allows us to corrupt the stack pointer to a region of memory we control and use ROP gadgets.

At first, I just leaked the rest of EEPROM which tells us to turn on pin B5. Then, I used different gadgets to write data to DDRB and PORTB which turns on the light and gives us the flag.

[Full writeup](https://ctf.harrisongreen.me/2020/midnightsunctf/avr/)