Overwrite the self-pointer with the address where `__vfprintf_internal`'s return address is stored, and blindly change it to a one_gadget with the help of a one_gadget's offset from `__libc_start_main` combined with the asterik format specifier applied on main's return address. Probability is lower bounded by 1/32 (1/16 for lucky stack brute, and 1/2 for usable libc addresses to use with the asterik format specifier).

Original writeup (https://cor.team/posts/Zh3r0%20CTF%20V2%20-%20All%20Pwnable%20Writeups).