http://pastebinthehacker.blogspot.com.au/2017/01/insomnihack-2017-baby.html
TLDR: fmtstring to infoleak cookie + libc then rop to system using bufferoverflow

Original writeup (http://pastebinthehacker.blogspot.com.au/2017/01/insomnihack-2017-baby.html).