Tags: fmtstr pwn 

Rating:

![](http://image.taqini.space/img/cap_dorsia_00:00:53_02.jpg)

`system-288` is an address of `one gadget` in libc and `a` is a buffer in stack. There is a format string vulnerability and we can use it to modify return address to the address of `one gadget`.

[full wp](http://taqini.space/2020/04/20/WPICTF-2020-pwn-linux-wp/#dorsia3-250pt)

Original writeup (http://taqini.space/2020/04/20/WPICTF-2020-pwn-linux-wp/#dorsia3-250pt).