tl;dr: Format string vulnerability; use `%7$s` to leak flag.

Original writeup (https://dunsp4rce.github.io/redpwn-2020/pwn/2020/06/26/secret-flag.html).