The concept here is similar to the write4 challenge,
although we may struggle to find simple gadgets that will get the job done.
Click below to download the binary:
Once we've employed our usual drills of checking protections and searching for interesting symbols & strings, we can think about what we're trying to acheive and plan our chain.
A solid approach is to work backwards: we'll need a write gadget - for example mov [reg], reg or something equivalent - to make the actual write, so we can start there.
There's not much more to this challenge, we just have to think about ways to move data into the registers we want to control.
Sometimes we'll need to take an indirect approach, especially in smaller binaries with fewer available gadgets like this one.
If you're using a gadget finder like ropper, you may need to tell it to search for longer gadgets.
As usual, you'll need to call the print_file() function with a path to the flag as its only argument.
Some useful(?) gadgets are available at the questionableGadgets symbol.
"What a pain" ~mttaggart