Rating:
1. leak libc by %34$p2. We're able to get the address of one_gadget, so overwrite ret address by one_gadget3. get shell
exploit [here](https://github.com/0x01f/pwn_repo/blob/master/Hackcon2018_elegent/solve.py)
I don't remember
