Rating: 5.0

TL;DR: stack overflow through a bug in snprintf concatenation, pop shell via ROP, decrypt flag with TPM 2.0 tools. See original writeup.

Original writeup (https://abiondo.me/2018/12/02/pwn2win18-tpm20/).