TL;DR: stack overflow through a bug in `snprintf` concatenation, pop shell via ROP, decrypt flag with TPM 2.0 tools. See [original writeup](https://abiondo.me/2018/12/02/pwn2win18-tpm20/).