TLDR:
Use `%sX` to append characters to an internal stack buffer used by `printf` (a pointer to which is returned in `rsi`). Pad up to uninitialised stack data, and print it with `%s` to get a leak. Use `do_call` with `system` to get RCE.

Original writeup (https://sashactf.gitbook.io/pwn-notes/ctf-writeups/cor-ctf-2024/format-string).