First things first: let's run checksec. There's Partial RELRO, and no PIE. This opens a bundle of attacks, but for now let's not comment on that.
Running the program, we get one input. Spamming lots of chars, we get a stack smashing error. That means a canary.
Opening it up in radare2, we can inspect the "hidden" main function. We see it reads 0x120 bytes into rbp-0x110. Buffer overflow? Kinda, but I didn't use it except to trigger a canary mismatch.
Most importantly, it calls printf on our input directly, opening a range of format string attacks. The first thing that pops into mind is a format string overwrite, but what to overwrite? The only libc function called after our input is printf-ed is __stack_chk_fail, but that's only called if there's a canary mismatch.
Our goal? Overwrite __stack_chk_fail@GOT with the address of main, then trigger a canary mismatch. Everytime the canary mismatches, it'll try to call stack chk fail, but instead it'll just call main again. This gives us infinite calls of main, so we can do whatever we want with format strings including writing and reading before we deliver the final exploit.
I cut my exploit in 4 stages.
Stage 1: Overwrite __stack_chk_fail@got with the address of main. Trigger canary mismatch, main will call again
Stage 2: Leak __libc_start_main_ret using %77%lp. Make sure to trigger canary mismatch in order to call main again
Stage 3: Calculate libc base. Overwrite printf@GOT with system@libc. Trigger canary mismatch for the final time.
Stage 4: Enter /bin/sh. The program will attempt to call printf("/bin/sh"), actually calling system("/bin/sh"), popping a shell.
Note: remotely, for some reason, the shell is really unstable? After one command it breaks and disconnects. Still some form of temporary shell though, enough to cat flag.txt.