TL;DR

Leak stack pointer using logic bug in scanf format string.

Leak Libc and PIE addresses through arbitrary read using already given functionality.

Use arbitrary null pointer to overwrite _IO_buf_base of stdin structure.

Get a shell \o/.

[Full Detailed Writeup](https://pwn-diaries.com/post/alles-ctf-2020-nullptr/)