Some simple tips/pointers on the interesting topic of format string vulnerabilities.
Most commonly associated with c/c++ and printf family of function calls.
Yes, you can read values of the stack using %p modifier and write to memory locations using %n.
Get some practice exploiting format string vulnerabilities over at https://exploit-exercises.com/protostar/format0/
Very straight forward examples – http://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html