We can use the printf vulnerability to overwrite thr got entry,
at first stage we leak the libc address, and then overwrite puts@got entry to main to create a loop
in second stage we overwrite the printf@got entry to system so that whatever the program passes to printf will be then executed.

the working exploit is linked.

Original writeup (https://github.com/mishrasunny174/CTF/blob/master/hsctf2019/binary%20exploitation/CaesarsRevenge/exploit.py).