- format string in 0x13a2
- There is format string vulnerability on argv which is filename.
- Challenge gives you ssh to remote machine that has challenge file with SUID to user with flag.
- Using format string, there was a pointer to heap where flag have been copied to on offset 10.
- Using %s, you can print out the string stored in the heap.
ln -s /challenge/challenge /tmp/%p,%p,%p,%p,%p,%p,%p,%p,%p,%s