Neither of our solutions were "reliable", and also required being run in a loop. (I know this about a1k0n's solution, as he sent me an e-mail asking me about my solution).
I actually have a 100% reliable solution that exploits the executable stack on level 04. No need to guess the address of the stack using one side effect that I found in this specific case:
Awesome!! I totally saw that call instruction, and then went on a wild goose chase thinking about how to get the string into that register, totally missing the fact that some of my earlier attempts at using printf had established that the string already happened to be there to begin with. Now I just feel dumb. ;P