A format-string bug in Trackmania Forever server accessible from server clients, pretty straight forward bug, input in a client RPC gets printed on the server.

Bit of an interesting context though, as the print happened on the server exploitation was blind, and unlike most format string CTF challenges the printed string was stored on the heap, so no easy string pops to get to controlled pointers. However, with no PIE and a statically compiled binary, offsets were predictable and the author pulled off a cool chain by targeting the base pointers stored on the stack to create a write gadget for a more useful primitive.