Hopefully you can find the right format for my secret! Source. Connect on shell2017.picoctf.com:10750.
We also have a small hint, telling us that it is vulnerable to format string exploit. From OWASP we can learn that.
The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.
Now let's try connecting, and providing the program with some random input.
Exactly nothing happens. But we also now that our target is some value in hex format. Let's try to use format string exploit to get these numbers from a memory. It's possible by typing a few %x parameters.
See how the last value changes each time we run a program. Since we now that secret is generated using urandom, we can guess that that's it. Let's run one last time.