1) admin action passes arbitrary `read` string to printf
=> format string exploit, gives arbitrary write
2) checks that all characters up to `strlen(input) + 1` are lower case, but strlen result is cast to 8 bit integer
=> using string of length 255 overflows to 255 + 1 = 0 for int8
Binary already has hidden function that executes `system("/bin/cat ./flag")` --> use format string attack to override puts GOT entry with address of that function (0x00400876)
See original writeup for details.