[PWN] Little Tommy

New to hackthebox. I managed to complete a few of the challenges, but havent tried out the pwn challenges yet. can someone help me out on where to start on Little Timmy?

Hey i’m currently on it and a lillt help would be apreciated :smiley: Don’t wanna spoil anything so please feel free to PM me so that i can explain you where i am.

i have solved to the most i can easily get it to work on my local machine but on server it halts and dies. is this a problem with the server or it has something to do with my method?

Edit: Never mind.

Lost 8 hours of my weekend with this one, get the flag was worth it. :slight_smile:

On my local machine I can get it to output a dummy-flag, but when I telnet to server I’m having issues reproducing. Not sure if it’s a binary/newline type of issue, or what’s going on. Anyone out there I can PM with?

On my local machine I can get it to output a dummy-flag, but when I telnet to server I’m having issues reproducing. Not sure if it’s a binary/newline type of issue, or what’s going on. Anyone out there I can PM with?

Got it.

HINT: You don’t need decompile the program, just search for strings inside the compiled program and keep spamming what you think is good.
Of course you need to understand how to glitch the malloc with random tries before trying spamming strings :slight_smile:

Hint:

  1. Banging my head for 4 days thanks to a different program behavior in IDA Remote Linux Debugger, just use GDB

  2. Liveroverflow’s 0x16 on Youtube will help you :wink:

*Liveoverflow

Type your comment> @NoPurposeInLfe said:

Hint:

  1. Banging my head for 4 days thanks to a different program behavior in IDA Remote Linux Debugger, just use GDB

  2. Liveroverflow’s 0x16 on Youtube will help you :wink:

Thanks for the tutorial. It’s really nice. I had also problems debugging with edb. I was not able to overwrite the specific part. It used new memory space every time. Finally after recognizing how it should work, I tried it remote and it worked instantly. In the end it’s not very difficult.
Does anybody know why the debugger don’t work as expected? Or has the configuration to be changed to get it running? I try to understand the behavior.

SImple but cool, learned a bit from doing this.
Hint: Think about the heap layout, once I realised that I got it straight away

same happened to me as flammex, if something that feels like it should work doesnt, try on server.

I think I know what to do but it does not work for me. Can I dm someone?

Type your comment> @thedust said:

I think I know what to do but it does not work for me. Can I dm someone?

Never mind, I got it (received help from @flipthecoin)

(Never mind)

Good grief!!!
Watching the LiveOverflow video really helped me.
I was working on this in a Kali 2021 VM and I wasn’t seeing the behavior described with this sort of heap issue.
When I spun up an old Ubuntu instance it worked just like it was supposed to! If you aren’t seeing the behavior you expect, it might be your environment.
‘file little-tommy’ can help you get an idea as to how old of a distro you might want to load…

Thanks @itsgudenuf - I was really struggling to get the intended behavior using the Hack The Box pwnbox (Parrot OS 4.11). I never found a way to reproduce the target sequence on the pwnbox. But, when I connected to the hosted instance, it worked just as expected. That lack of reproducibility can be pretty distracting.

Type your comment> @itsgudenuf said:

Good grief!!!
Watching the LiveOverflow video really helped me.
I was working on this in a Kali 2021 VM and I wasn’t seeing the behavior described with this sort of heap issue.
When I spun up an old Ubuntu instance it worked just like it was supposed to! If you aren’t seeing the behavior you expect, it might be your environment.
‘file little-tommy’ can help you get an idea as to how old of a distro you might want to load…

Had the exact same problem. Thank you for your suggestion. I loaded up an old 10.04 version of Ubuntu and was able to simulate the expected behavior, no problem!

Actually very curious as to why. Could it be a security feature in newer versions of the Linux Kernel?

Hi all, I got the solution working locally and remotely. But I do have a question on the actual solution. Where can I ask my question with out giving away spoilers etc…?