Format String Exploitation - Unkown differences in leaked LIBC addresses

Question

My goal is to get a better understanding of format string exploits.
While looking at different challenges, I always run into the same issue.
The information given below were obtained while solving the retired "Nightmare" pwn challenge from hackthebox, but I get the issue in other challenges as well. This example just serves as a reference.

The nightmare binary has the following protections:

RELRO: No RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled

The interesting part of the code is:

...
fgets(code, 6, stdin);
printf(code);
...

The goal is to overwrite a GOT entry.
One can download the Nightmare elf file for preparing the exploit and then has to run it against a server for obtaining the flag.
In this challenge no LIBC is provided for download so one has to determine the server version in the exploit process.

I did some enumeration locally to understand what values can be leaked via the printf call and the first 50 leaks are:

1 0xa702431
2 0xfbad2088
3 0xa702433
4 0x5555555592a5
5 0x21001
6 0xa70243625
7 (nil)
8 (nil)
9 (nil)
10 (nil)
11 (nil)
12 (nil)
13 (nil)
14 0x1
15 0x7ffff7df124a <__libc_start_call_main+122>: 0x2fe8c789
16 (nil)
17 0x555555555149 : 0xe5894855
18 0x100000000
19 0x7fffffffde58: 0xffffe2a0
20 0x7fffffffde58: 0xffffe2a0
21 0xd6f49242d225c3e
22 (nil)
23 0x7fffffffde68: 0xffffe2f0
24 0x555555557dd8
25 0x7ffff7ffd020 <_rtld_global>: 0xf7ffe2f0
26 0xae241031bf9d82f8
27 0xb238f83ac87fe046
28 (nil)
29 (nil)
30 (nil)
31 0x7fffffffde58: 0xffffe2a0
32 0x7fffffffde58: 0xffffe2a0
33 0x37407f72d1b00700
34 0xd
35 0x7ffff7df1305 <__libc_start_main_impl+133>: 0x643d8b4c
36 0x555555555149 : 0xe5894855
37 0x555555557dd8
38 (nil)
39 (nil)
40 (nil)
41 0x555555555060 <_start>: 0x8949ed31
42 0x7fffffffde50: 0xffffe28c
43 (nil)
44 (nil)
45 0x555555555081 <_start+33>: 0x0f2e66f4
46 0x7fffffffde48: 0xffffe273
47 0x7ffff7fc3160: 0xf7dca000
48 0x1
49 0x7fffffffe1d7: 0x5455415f
50 (nil)

Based on this output, the idea would be to chose suitable leaks for determining the LIBC version on the remote server. My local test system is Parrot OS 6.0 with the LIBC version "Debian GLIBC 2.36-9+deb12u4".
If I patch the local Nightmare elf file to have it use the LIBC file from the server (Ubuntu GLIBC 2.31-0ubuntu), I get the following leaks:

1 0x555555556079
2 0x6c
3 0xffffffff
4 0x7fffffffdcc2: 0x00000004
5 (nil)
6 0xa702436255500
7 0x683888d743a72400
8 0x7fffffffdcf0: 0xffffdd98
9 0x5555555554d5: 0x8d481beb
10 0x7fffffffdde0: 0xffffe298
11 0x3200000000000000
12 (nil)
13 0x7ffff7dfc0b3 <__libc_start_main+243>: 0x06e8c789
14 0x7ffff7ffc620 <_rtld_global_ro>: 0x00000000
15 0x7fffffffdde8: 0xffffe2cc
16 0x100000000
17 0x555555555478: 0xfa1e0ff3
18 0x555555555500: 0xfa1e0ff3
19 0x9a65c3e7407b898f
20 0x555555555180: 0xfa1e0ff3
21 0x7fffffffdde0: 0xffffe298
22 (nil)
23 (nil)
24 0xafa33525bd465d0c
25 0x954e9f04b050d755
26 (nil)
27 (nil)
28 (nil)
29 0x1
30 0x7fffffffdde8: 0xffffe2cc
31 0x7fffffffddf8: 0xffffe312
32 0x7ffff7ffe190: 0x55554000
33 (nil)
34 (nil)
35 0x555555555180: 0xfa1e0ff3
36 0x7fffffffdde0: 0xffffe298
37 (nil)
38 (nil)
39 0x5555555551ae: 0x8d4890f4
40 0x7fffffffddd8: 0xffffe284
41 0x1c
42 0x1
43 0x7fffffffe16b: 0x5455415f
44 (nil)
45 0x7fffffffe1b6: 0x752d4543
46 0x7fffffffe1df: 0x00323333
47 0x7fffffffe231: 0x4c00726f
48 0x7fffffffe242: 0x3d4e4f49
49 0x7fffffffe255: 0x4552475f
50 0x7fffffffe26e: 0x696c2f62

So the leaked addresses are very different between both versions of LIBC.
In the solutions I found online, people always obtained output similar to the one of the server and used position 13 "0x7ffff7dfc0b3 <__libc_start_main+243>" and the online database libc.blukat.me to determine the LIBC server version.
With my local output however, the leaks and the order of the leaks is just completely different.
For example, there is no leak to "__libc_start_main" at all in my local case but for example a leak to "__libc_start_call_main" at a differen position.
I do not understand how I can relate my local leaks and the server leaks to determine the LIBC version of the server.
I run into this problem pretty much at every challenge where I have to determine the LIBC version online. In the provided walkthroughs I never see anyone face my problem. Everyone seems to get leaks similar to the server ones regarding position and content.

What am I missing?