The concept here is identical to the write4 challenge. The only difference is we may
struggle to find gadgets that will get the job done. However if we take our time to consider all our options,
we'll succeed.
Click below to download the binary.
Once we've employed our usual drills of checking protections and searching for
interesting symbols and strings we can think about what we're trying to acheive and
plan our chain. A solid approach is to work backwards; we'll need a write gadget, for example
mov [reg], reg or something equivalent to make the actual write so we
can start there.
There's not much more to this challenge, we just have to think about ways to move
data into the registers we want to control. Sometimes we'll need to take an indirect
approach, especially in smaller binaries with fewer available gadgets like this one.
If you're using a gadget finder like ropper, you may need to tell it to search for longer gadgets.
As usual, you'll need to call the print_file() function with a path to the flag as
the only argument. Some useful(?) gadgets are available at the questionableGadgets symbol.