tl;dr Format string exploit with PIE, but you have to provide the format string before getting a leak (and you get to write some data after the leak). You can get around this by using the * width specifier.

See original writeup for details.

Original writeup (https://galhacktictrendsetters.wordpress.com/2022/05/06/angstromctf-2022-caniride/).