Utilizing Out-of-bounds write to overwrite an adjacent memory chunk to bypass login and using Format String Vulnerability to overwrite a check and overwrite return address on the stack to perform ROP.
Using printf to first leak libc/pie, then overwriting a global variable which gives us a write primitive which is suspecitble to buffer overflow, then simple rop.