By reading the source code (i.e. echo.c), we know the program will use fgets to read user input and use printf to print it out.

However, there is a vulnerability exposed here which could be exploited using format string attack. First, we need to know how function is being called in C. Generally speaking, the argument(s) of a function call will be pushed onto the stack and popped from the stack later. Let's take an example of printf("%d %d\n", 1, 2)

Back to echo.c, What would happen if we entered "%x"? The function call printf(buf) would become printf("%x") and most importantly printf expects the argument is already on the stack and therefore it pops. In this case, we can use %x to try to get the address of flag_ptr (i.e. the 8th hexadecimal after attempts). Lastly, use %8$s to print the string using the address of flag_ptr.