Rating: 3.0
We can forge the return value of `snprintf` and overread the stack.Also we can craft a ROP chain byte by byte using the nonce token.
[writeup](https://ptr-yudai.hatenablog.com/entry/2019/06/03/113943#pwnable-410pts-otp_server)
I don't remember
