Level 0 Username : narnia0 Password : narnia0 SSH : narnia.labs.overthewire.org:2226
To solve this level, we first ssh into the narnia server using the credentials provided above. Let’s have a look at the executable for this level and its source code.
As we can see, the executable declares a buffer for 20 characters. However, while scanning for the buffer, the executable allows up to 24 characters to be scanned in the buffer. Such a condition can result in buffer overflow. To read more on it, check this link. We can overflow the buffer to replace the value of variable ‘val’. We can replace the value to ‘0xdeadbeef’. I wrote the following script to see if we can overflow the buffer.
python -c 'print "A"*20+"\x10\x10\x10\x10"' | ./narnia0
As we can see, after passing 20 ‘A’ characters, the input overflows the buffer and replaces the value of ‘val’ to ‘0x10101010’ which are the last 4 input characters. Therefore, as we now know that we can overflow the buffer easily, let’s replace the value to ‘0xdeadbeef’.
As we can see above, the executable overflows the buffer, however, the shell closes before we have the opportunity to execute any commands. Therefore, we need to find a way to make the shell persist and not exit. To do that, we need to pass a command to the shell that makes it persist until we send the input. Commands like ‘cat’ can help us achieve that.
As we can see above, we can read the password for the next level now.
Level 1 Username : narnia1 Password : efeidiedae SSH : narnia.labs.overthewire.org:2226