Rating: 5.0

TLDR:

There is an off-by-one in the name field (it is too big) and you can corrupt the size of a note's content in EEPROM. When the "list" function reads the note onto the stack it can overflow. The ropchain needs to scan for TWI devices (7-bit brute force) and then you can read the flag from the target device (at 0x6a)

https://ctf.harrisongreen.me/2021/midnightsun/twi-light/

Original writeup (https://ctf.harrisongreen.me/2021/midnightsun/twi-light/).