Use a format string bug to leak libc, and pie. Then do a got overwrite. Checkout the writeup for a much more thorough explannation. Also checkout https://github.com/guyinatuxedo/nightmare if you want to learn more about binary exploitation / reverse engineering.

https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings/watevrctf19_betstar

Original writeup (https://github.com/guyinatuxedo/nightmare/tree/master/modules/10-fmt_strings/watevrctf19_betstar).