Tags: pwn 

Rating: 5.0

# Description:
**Our operatives found this site, which appears to control some of the androids’ infrastructure! There are only two problems. The robots love x86 assembly; the only thing easier for them to work with is binary. And they love terse command codes. Even 7 bytes was too many for this one.**

# Writeup:
We are given a binary and some text:

> You can send up to 6 bytes (hex encoded) as the first argument to the binary. The passed in bytes will be executed. The goal is to read the contents of the file in env['WUNTEE_CHALLENGE_FLAG'].

Inspecting the binary in ida confirms what we are told - the binary will check that we gave it 6 bytes as an argument (909090909090, for example), and execute them.
Right before executing them, the binary opens the file in **env['WUNTEE_CHALLENGE_FLAG']** and reads it into the stack.


Since we don't have the environment variable set, we will export it using "export WUNTEE_CHALLENGE_FLAG=/etc/passwd".

By setting a breakpoint right before our 6 bytes are executed, we can examine the registers:


We want to print the flag into stdout, but we have only 6 bytes to do so.
Luckily, most of the registers are set for a write syscall:

|syscall | eax | ebx | ecx | edx |
| ------------- | -------- | -------- | -------- | -------- |
| sys_write | 0x04 | fd |Buff addr |Num Bytes |

EAX is 4 and EBX is 1 (stdout).

We need ECX to point to our flag, and EDX to be a bigger number (so we can read the whole flag at one go).

The following assembly code achieves this using only 6 bytes:
xchg ecx,edi //ecx will point to our flag
mov dl,0x64 //edx is a big number
int 0x80 //syscall
Or, in byte form: