Jumpy

A ELF file jumpy and a C source code jumpy.c were given and there was a "Request Session" button.

Reading jumpy.c, I found these:

• It can construct some machine code and execute that via a simple assembler for x86.
• These instructions are available. Only there are available.
  • moveax (a 32-bit signed decimal integer) (b8 xx xx xx xx) : store the specified value to the register EAX.
  • jmp (a 8-bit signed decimal integer) (eb xx) : set the program counter to the address right after this instruction plus the specified value.
  • ret (c3) : pop the program counter from the stack.
• It finishes constructing machine code and moves to the execution phase when an invalid instruction is entered.
• It checks the jmp instructions after constructing machine code and refuses to execute that if the instruction at the jump destination is not any of the instructions listed here.
• It calls alarm(5); before executing the constructed machine code.

Now think about setting the least byte (the first byte in little-endian) of the value to set in the moveax instruction to 0xb8 and jumping to the least byte via the jmp instruction.
This will have it interpret the first byte of the next instruction of this moveax instruction and execute the value after that as instructions.
In other words, you can have it execute instructions in the yy yy yy yy part by placing instructions like this:

When I hit the "Request Session" button in Firefox, it seemed only showing "Calculating Proof of Work" and some other texts. It didn't look working well.
Pressing the button on Google Chrome resulted in a string ncat --ssl (a domain name) (an integer) appearing after a while.

I assumed that the integer is the port number.
I tried connecting to the domain and the port number via Tera Term, finding that a connection is established but nothing was shown after that and it became disconnected after about 10 seconds.
Also, I tried connection to the server like openssl s_client -connect (domain name):(port number) with OpenSSL that had already installed (OpenSSL 1.0.2n 7 Dec 2017).
As a result, information about the certificate, the session, etc. was printed, but it became disconnected right after that.
I succeeded to communicate with the server by downloading OpenSSL 1.1.1l 24 Aug 2021 from this page and using s_client in the same way:

Now I found how to communicate with the server.
I tried sending a code to launch /bin/sh via the execve system call. However, no response appeared after sending commands for shell and the shell didn't look available.
After that, I prepared to build a code to execute the specified command.

This is a program for building the code to execute based on.
Testing on CS50 IDE, I found that /bin/ls doesn't work well when the 2nd argument of execve is set to zero. Therefore, I had this program construct the array for the command-line arguments.

Sending this code to the server, I found an entry flag printed among the common directory names in the root directory.

Seeing this, I updated the program to construct a code to enable it specifying an argument.
These are the updated program and a program to work based on: