Ghost in The Shellcode 2015 Teaser: Citadel solution

This is my exploit for the Citadel challenge in the Ghost in The Shellcode 2015 Teaser CTF. I have attached my IDB as well, so those of you with IDA Pro can see what the reversing-part of the process looked like.

The Citadel challenge consisted of a custom SIP server (Linux/x86_64), with NX, ASLR and partial RELRO enabled. After some time reverse-engineering the binary, I discovered a format string vulnerability in a call to asprintf(). However, to actually get data under our control on the stack, in order to use the format string vulnerability effectively, I had to do some further digging…

My final exploit code:

Below you can see the output of the exploit. :)

The vulnerable binary:
http://www.clevcode.org/files/citadel

My IDB for the binary:
http://www.clevcode.org/files/citadel.i64