GOT_IMMM
Overwrite the plt.got
dinner_time
Just call the various gadgets intentionally inserted
pibolar
Partially overwrite rip on the return stack to bypass aslr
Quick note, this probably will segfault because it tries to read flag.txt
ADHD
Start off by leaking the address of puts in libc by calling puts(put@plt.got). In the same ropchain, call main again to allow yourself to read more bytes.
Calculate the address of system and /bin/sh using the leaked libc address. For some reason /bin/sh wasn't calculated properly, so I had to do some work to adjust the address. That's why you see weird arithmetic on the last line.
Finally, call system(/bin/sh) and win.
poprops
I believe they also provided the necessary gadgets to call.
schizophrenia
The key issue here is that the program uses malloc without setting the value returned.
This means any data at an address before malloc is called will remain there after.
Therefore my method is to make a big string, free it, and malloc a few things and hope they are inside of the old string buffer.
Note that this exploit only works on my 16.04 vm and not my 18.04, so I can't guarantee it would work remotely.