Original writeup (https://www.pwndiary.com/write-ups/angstrom-ctf-2018-hellcode-write-up-pwn200/).
HackerChaiMarch 23, 2018, 6:31 a.m.

Actually I don't think the payload has to be this complicated. You can fit a payload under 16 bytes.
You can just:
1. mov ebx, [GOT of any function]
2. add/sub index between libc function offset and a one gadget (Need to exfil libc from system)
3. push ebx (The program will append ret)