Noted was a 32bit pwnable that read / write notes which are backed by files on the disk. Every file started with a 16 byte password and then you were able to write up to 0x400 bytes to the file. When editing notes, you were allowed to write as many bytes to the file as it contained previously, but the buffer had a fixed size. So if you'd find a way to create a file that is bigger than 0x400 bytes then you'd have a straight forward stack overflow. The bug was in the way the length check worked and the mandatory 16 byte password at the beginning. If you create a file that only contained the password, the length check would underflow and allow you to write (unsigned) -1 bytes to the file / local buffer. The same code would also leak the stack content to you.
From there it was slightly complicated rop since I didn't figure out how to use the plt on x86. First leak the libc address from the got by jumping to one of the puts calls in the binary. On the next return we can gain code execution again by having the ebp