1. leak libc by %34$p
2. We're able to get the address of one_gadget, so overwrite ret address by one_gadget
3. get shell

exploit here

Original writeup (https://github.com/0x01f/pwn_repo/blob/master/Hackcon2018_elegent/solve.py).