TL;DR: stack overflow through a bug in snprintf concatenation, pop shell via ROP, decrypt flag with TPM 2.0 tools. See original writeup.