QMM — HTB Challenge
retleave·Apr 21, 2026·9 min read
QMM (Quantum Memory Manager) — HTB Challenge
Info
- Category: Pwn
- Difficulty: Hard
Introduction
QMM wraps standard heap operations in quantum computing metaphors: chunks are "qchunks" that can be placed in "superposition" (freed) and "measured" (re-observed), while "entanglement" creates linked copies that propagate edits. Behind the abstraction, the challenge implements a use-after-free through a race condition between entanglement management threads and the superposition/measurement system. The entanglement's
eptrs[] array retains dangling pointers after superposition frees the underlying chunk, and the manage_entanglement delete operation frees these stale pointers, creating a controlled UAF.The exploit escalates the UAF into a
_IO_2_1_stdout_ FILE structure hijack for leaking libc and stack addresses, followed by tcache poisoning and ROP for shell execution. The challenge runs with Full RELRO, PIE, NX, and stack canary.Vulnerability Analysis
Quantum Metaphors as Heap Primitives
The source code maps quantum concepts to memory operations:
| Quantum Concept | Actual Operation |
|---|---|
| Create qchunk | malloc(size) + write data |
| Delete qchunk | free(ptr) + NULL ptr |
| Edit qchunk | read(0, ptr, size) |
| Superposition | free(ptr) but keep ptr in struct |
| Measure | Random: either NULL the ptr or malloc(size) (consume) |
| Entanglement | malloc copies that mirror edits via memcpy |
| Manage entanglement | Create/delete entangled copies (threaded) |
The UAF via Entanglement
Content Locked
This challenge is still active on HackTheBox. The full writeup will be available after retirement.