Rating:
* Guess the stack offset, modify the pointer on the stack which point to `stderr` file struct to point to its `_fileno`: `0x20 ->0x90`.
* Use format string attack to overwrite `stderr->_fileno` 2 to 1.
* Got the output, when guess right.
* Leak libc , stack.
* Build ROP.
* One gadget.
* [exploit.py](https://github.com/ssspeedgit00/CTF/tree/master/2018/TokyoWesterns/Neighbor_C)
