Tags: pwn
Rating: 5.0
# Description:
**Our operatives found this site, which appears to control some of the androids’ infrastructure! There are only two problems. The robots love x86 assembly; the only thing easier for them to work with is binary. And they love terse command codes. Even 7 bytes was too many for this one.**
# Writeup:
We are given a binary and some text:
> You can send up to 6 bytes (hex encoded) as the first argument to the binary. The passed in bytes will be executed. The goal is to read the contents of the file in env['WUNTEE_CHALLENGE_FLAG'].
Inspecting the binary in ida confirms what we are told - the binary will check that we gave it 6 bytes as an argument (909090909090, for example), and execute them.
Right before executing them, the binary opens the file in **env['WUNTEE_CHALLENGE_FLAG']** and reads it into the stack.
![](https://i.imgur.com/TazUUGv.png)
Since we don't have the environment variable set, we will export it using "export WUNTEE_CHALLENGE_FLAG=/etc/passwd".
By setting a breakpoint right before our 6 bytes are executed, we can examine the registers:
![](https://i.imgur.com/ONMa986.png)
We want to print the flag into stdout, but we have only 6 bytes to do so.
Luckily, most of the registers are set for a write syscall:
```
|syscall | eax | ebx | ecx | edx |
| ------------- | -------- | -------- | -------- | -------- |
| sys_write | 0x04 | fd |Buff addr |Num Bytes |
```
EAX is 4 and EBX is 1 (stdout).
We need ECX to point to our flag, and EDX to be a bigger number (so we can read the whole flag at one go).
The following assembly code achieves this using only 6 bytes:
```
xchg ecx,edi //ecx will point to our flag
mov dl,0x64 //edx is a big number
int 0x80 //syscall
```
Or, in byte form:
87F9B264CD80