Pumpking

Target Information

  • IP: ``

Exploitation

  • Running the executable asks for a password, which I found by running strings pumpking: pumpk1ngRulez

    It then asks for me to make a wish, with no guidance on how to do so.

  • Tried running ltrace ./pumpking to see what functions are called, but it just segfaulted.

  • Ran edb --run pumpking to debug the executable, but didn't find anything useful.

  • Ran valgrind -v ./pumpking to see if there were any memory errors that were causing the segfault.

    Got an error about 32-bit vs 64-bit, so I ran valgrind -v --log-file=valgrind.log ./pumpking to generate a lof of the output to determine what was causing the error.

    ==31736== Memcheck, a memory error detector
    ==31736== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==31736== Using Valgrind-3.15.0-608cb11914-20190413 and LibVEX; rerun with -h for copyright info
    ==31736== Command: ./pumpking
    ==31736== Parent PID: 16095
    ==31736==
    --31736--
    --31736-- Valgrind options:
    --31736--    -v
    --31736--    --log-file=valgrind.log
    --31736-- Contents of /proc/version:
    --31736--   Linux version 5.15.0-52-generic (buildd@lcy02-amd64-045) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022
    --31736--
    --31736-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-ssse3-avx-avx2-bmi-f16c-rdrand
    --31736-- Page sizes: currently 4096, max supported 4096
    --31736-- Valgrind library directory: /usr/lib/x86_64-linux-gnu/valgrind
    --31736-- Reading syms from /.../challenge/pumpking
    --31736-- Reading syms from /.../challenge/glibc/ld-linux-x86-64.so.2
    --31736--    object doesn't have a symbol table
    
    valgrind:  Fatal error at startup: a function redirection
    valgrind:  which is mandatory for this platform-tool combination
    valgrind:  cannot be set up.  Details of the redirection are:
    valgrind:
    valgrind:  A must-be-redirected function
    valgrind:  whose name matches the pattern:      strlen
    valgrind:  in an object with soname matching:   ld-linux-x86-64.so.2
    valgrind:  was not found whilst processing
    valgrind:  symbols from the object with soname: ld-linux-x86-64.so.2
    valgrind:
    valgrind:  Possible fixes: (1, short term): install glibc's debuginfo
    valgrind:  package on this machine.  (2, longer term): ask the packagers
    valgrind:  for your Linux distribution to please in future ship a non-
    valgrind:  stripped ld.so (or whatever the dynamic linker .so is called)
    valgrind:  that exports the above-named function using the standard
    valgrind:  calling conventions for this platform.  The package you need
    valgrind:  to install for fix (1) is called
    valgrind:
    valgrind:    On Debian, Ubuntu:                 libc6-dbg
    valgrind:    On SuSE, openSuSE, Fedora, RHEL:   glibc-debuginfo
    valgrind:
    valgrind:  Note that if you are debugging a 32 bit process on a
    valgrind:  64 bit system, you will need a corresponding 32 bit debuginfo
    valgrind:  package (e.g. libc6-dbg:i386).
    valgrind:
    valgrind:  Cannot continue -- exiting now.  Sorry.
    

    My guess is that it would work if the program ran with the proper libraries instead of the bundled versions, but since the challenge itself will be on the server, we won't be able to use that method.

  • Took a core dump of the program to see if there is any additional useful information:

    ulimit -c unlimited
    sudo sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t
    ./pumpking
    

    Then, after the program segfaulted, I ran gdb ./pumpking -c /tmp/core-pumpking.32928.ceo.1666630430 to see what was going on. All I got was the following:

    (No debugging symbols found in ./pumpking)
    [New LWP 32928]
    Core was generated by `./pumpking'.
    Program terminated with signal SIGILL, Illegal instruction.
    #0  0x00007fffb04147a2 in ?? ()
    

Tags

  1. hackthebox (Private)
  2. easy (Private)
  3. pwn (Private)