[PWN] Little Tommy

can anyone direct me on how to go about this challenge? ive got it to debug and analyzed how the program works in IDA etc. and figured out how the program works.

Panda Carry

Comments

  • Decompiling it using https://retdec.com/ (thanks @cmaddy) and viewing the source helped me see what was going on.

    delosucks

  • thanks delo! ill have to brush up on my code analysis

    Panda Carry

  • got the flag if anyone needs help with this lmk

    Panda Carry

  • I'm doing this now. Would love a hint... does this need a BO....

  • it has to do with how freeing and allocation are done on the heap

    Hack The Box

  • I could use some help on this challenge, too. I think I know the issue, but I am not able to reproduce it.

  • As a side note the executable does suffer from a double free vulnerability. I wonder how ;) If anyone has tried to exploit this could message me that would be great. I don't want this message to get reported so I'm not gonna say whether this is the right approach but its not hard to figure out.

    n3m0

    PS: I just love strings...don't you?

  • @davidlightman said:
    I could use some help on this challenge, too. I think I know the issue, but I am not able to reproduce it.

    Think about this :if you free a chunk on the heap that was initially allocated, and then you allocate memory again , from where will this memory come from ?.

    You should disassemble the program and try to look for funny conditions :wink: and options in the program that can enable you do frees and allocations , and figure out the order of calls to those options that will be to your advantage

    Hack The Box

  • Thanks a lot! Appreciated!

  • I am doing something wrong (binary hacking noob) but I got 3 different ways of behavior of the program.
    Simply running program has different behavior from running in gdb which has different behavior when running on the htb server.
    I don't want to spoil here, can I write PM to someone for hint?
    And I don't want solution, I am not here for points:)
    Thanks.

  • New to hackthebox. I managed to complete a few of the challenges, but havent tried out the pwn challenges yet. can someone help me out on where to start on Little Timmy?

  • Hey i'm currently on it and a lillt help would be apreciated :D Don't wanna spoil anything so please feel free to PM me so that i can explain you where i am.

  • i have solved to the most i can easily get it to work on my local machine but on server it halts and dies. is this a problem with the server or it has something to do with my method?

  • edited November 2018

    Edit: Never mind.

    opt1kz

  • Lost 8 hours of my weekend with this one, get the flag was worth it. :)

  • edited February 27

    On my local machine I can get it to output a dummy-flag, but when I telnet to server I'm having issues reproducing. Not sure if it's a binary/newline type of issue, or what's going on. Anyone out there I can PM with?

  • On my local machine I can get it to output a dummy-flag, but when I telnet to server I'm having issues reproducing. Not sure if it's a binary/newline type of issue, or what's going on. Anyone out there I can PM with?

  • Got it.

    HINT: You don't need decompile the program, just search for strings inside the compiled program and keep spamming what you think is good.
    Of course you need to understand how to glitch the malloc with random tries before trying spamming strings :)

    If you appreciate my help, please give me +1 respect :)
    https://www.hackthebox.eu/home/users/profile/113070.

  • Hint:

    1. Banging my head for 4 days thanks to a different program behavior in IDA Remote Linux Debugger, just use GDB

    2. Liveroverflow's 0x16 on Youtube will help you ;)

  • *Liveoverflow

Sign In to comment.