Exploit Dev — Format Strings

A format string bug — printf(user_input) instead of printf("%s", user_input) — gives you both an arbitrary memory read and an arbitrary write from one flaw. Part 10 used %p and %s to leak; here we use %n to WRITE. We turn %n plus %c padding into a write-what-where, do it safely byte-by-byte with %hhn, overwrite a GOT entry to redirect a call to system, and let pwntools fmtstr_payload assemble it.