Pumpking
Target Information
- IP: ``
Exploitation
-
Running the executable asks for a password, which I found by running
strings pumpking
:pumpk1ngRulez
It then asks for me to make a wish, with no guidance on how to do so.
-
Tried running
ltrace ./pumpking
to see what functions are called, but it just segfaulted. -
Ran
edb --run pumpking
to debug the executable, but didn't find anything useful. -
Ran
valgrind -v ./pumpking
to see if there were any memory errors that were causing the segfault.Got an error about 32-bit vs 64-bit, so I ran
valgrind -v --log-file=valgrind.log ./pumpking
to generate a lof of the output to determine what was causing the error.==31736== Memcheck, a memory error detector ==31736== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==31736== Using Valgrind-3.15.0-608cb11914-20190413 and LibVEX; rerun with -h for copyright info ==31736== Command: ./pumpking ==31736== Parent PID: 16095 ==31736== --31736-- --31736-- Valgrind options: --31736-- -v --31736-- --log-file=valgrind.log --31736-- Contents of /proc/version: --31736-- Linux version 5.15.0-52-generic (buildd@lcy02-amd64-045) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 --31736-- --31736-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-ssse3-avx-avx2-bmi-f16c-rdrand --31736-- Page sizes: currently 4096, max supported 4096 --31736-- Valgrind library directory: /usr/lib/x86_64-linux-gnu/valgrind --31736-- Reading syms from /.../challenge/pumpking --31736-- Reading syms from /.../challenge/glibc/ld-linux-x86-64.so.2 --31736-- object doesn't have a symbol table valgrind: Fatal error at startup: a function redirection valgrind: which is mandatory for this platform-tool combination valgrind: cannot be set up. Details of the redirection are: valgrind: valgrind: A must-be-redirected function valgrind: whose name matches the pattern: strlen valgrind: in an object with soname matching: ld-linux-x86-64.so.2 valgrind: was not found whilst processing valgrind: symbols from the object with soname: ld-linux-x86-64.so.2 valgrind: valgrind: Possible fixes: (1, short term): install glibc's debuginfo valgrind: package on this machine. (2, longer term): ask the packagers valgrind: for your Linux distribution to please in future ship a non- valgrind: stripped ld.so (or whatever the dynamic linker .so is called) valgrind: that exports the above-named function using the standard valgrind: calling conventions for this platform. The package you need valgrind: to install for fix (1) is called valgrind: valgrind: On Debian, Ubuntu: libc6-dbg valgrind: On SuSE, openSuSE, Fedora, RHEL: glibc-debuginfo valgrind: valgrind: Note that if you are debugging a 32 bit process on a valgrind: 64 bit system, you will need a corresponding 32 bit debuginfo valgrind: package (e.g. libc6-dbg:i386). valgrind: valgrind: Cannot continue -- exiting now. Sorry.
My guess is that it would work if the program ran with the proper libraries instead of the bundled versions, but since the challenge itself will be on the server, we won't be able to use that method.
-
Took a core dump of the program to see if there is any additional useful information:
ulimit -c unlimited sudo sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t ./pumpking
Then, after the program segfaulted, I ran
gdb ./pumpking -c /tmp/core-pumpking.32928.ceo.1666630430
to see what was going on. All I got was the following:(No debugging symbols found in ./pumpking) [New LWP 32928] Core was generated by `./pumpking'. Program terminated with signal SIGILL, Illegal instruction. #0 0x00007fffb04147a2 in ?? ()