tl;dr

* There is a out of bound access vulneribility in LFA.so.
* Use out of bound read to leak heap address and libc address
* Use out of bound write to write function pointer on the heap and hijack control flow
* Pivot stack and ROP to read flag from fd 1023 and write to stdout.