TL; DR. Classic format string exploit. Leak the address of `libc`, execute the vulnerable function again by overwriting `exit`, and finally overwrite `printf()` with `system()` to get a shell.
Original writeup (https://nave1337.herokuapp.com/index.html#os2021_pwninn).