Exploit format strings with printf and leak a pointer to libc and overwrite the GOT entry of free with system function byte-by-byte with four format strings.

Original writeup (https://0xf4b1.github.io/ctftime/tuctf.com/pwn/vulnmath/).