The description and source code can be found here:
http://exploit.education/phoenix/format-one/
This level is largely the same as the previous, except now we need to set the changeme variable to a specific value (0x45764f6c). We know we can overflow the dest variable with the “%x” format specifier. We can use a number before the “x” to specify how many characters to print. For example, the fill the 32 byte buffer for the dest variable, we can use “%32x”. Then we’ll simply append the required bytes for the changeme variable.
user@phoenix-amd64:~$ echo -e "%32x\x6c\x4f\x76\x45" | /opt/phoenix/amd64/format-one Welcome to phoenix/format-one, brought to you by https://exploit.education Well done, the 'changeme' variable has been changed correctly!
This one was easy 🙂 Moving forward, I arrived to the same solution this time. Almost the same, for the padding I used “%032x” instead of your better solution where we can save one char “%32x”. When I first read through the sprintf man page I didn’t realize that we were able to do that. With “%032” we are padding with “0” chars, and with just “%32” we are padding with spaces. Great!