Rating:

Leak the address of puts and search for the correct libc version. Then calculate the offsets and overflow the buffer with system and /bin/sh.

Original writeup (https://0xf4b1.github.io/ctftime/tuctf.com/pwn/leakalicious/).