How to send a string format exploit through socket


I’m doing a CTF exercise here:

https://c-wars.acnr.se/download/level2.tgz

There is a docker with the vulnerable service, which I need to found the value of a variable. I was able to do it by the following input:

== Login Service 1.0 == Username: %7$  s Password: a Welcome: ACNR{_SERVICE_FLAG_} 

My issue now is that the submission needs to call a function that is going to send this string by a socket, so I guess I need to escape it. I have tried %7$ s, but didnt worked.

Submission format can be found at https://c-wars.acnr.se/download/MANUAL.pdf

#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdint.h> #include "gamelib.h" uint32_t main(uint32_t argc, uint8_t ** argv) { svc_init(); svc_set(10000); svc_writeln("gimme flag"); svc_readuntil('}'); return 0; }