1. Leak the address of a library function in the GOT. In this case, we’ll leak puts()’s GOT entry
2. Get libc’s base address so we can calculate the address of other library functions.
3. Compute system()'s address
4. Overwrite a GOT entry’s address (puts) with system()’s address
5. Write /bin/sh to writeable area , in this case .bss
6. Invoke system("/bin/sh")

Original writeup (https://github.com/AnisBoss/CTFs/tree/master/Codegate%20CTF%202018/BaskinRobins31%20-%20226pts%20(Pwn)).