Narnia · OverTheWire

Narnia Level 0 → Level 1

Level 0

Username : narnia0
Password : narnia0
SSH : narnia.labs.overthewire.org:2226

Solution

To solve this level, we first ssh into the narnia server using the credentials provided above. Let’s have a look at the executable for this level and its source code.

Screenshot from 2017-07-23 14-21-21.png

7-23-2017 2-22-41 PM.png

As we can see, the executable declares a buffer for 20 characters. However, while scanning for the buffer, the executable allows up to 24 characters to be scanned in the buffer. Such a condition can result in buffer overflow. To read more on it, check this link. We can overflow the buffer to replace the value of variable ‘val’. We can replace the value to ‘0xdeadbeef’. I wrote the following script to see if we can overflow the buffer.

python -c 'print "A"*20+"\x10\x10\x10\x10"' | ./narnia0

Screenshot from 2017-07-23 16-14-32.png

As we can see, after passing 20 ‘A’ characters, the input overflows the buffer and replaces the value of ‘val’ to ‘0x10101010’ which are the last 4 input characters. Therefore, as we now know that we can overflow the buffer easily, let’s replace the value to ‘0xdeadbeef’.

Screenshot from 2017-07-23 16-15-02.png

As we can see above, the executable overflows the buffer, however, the shell closes before we have the opportunity to execute any commands. Therefore, we need to find a way to make the shell persist and not exit. To do that, we need to pass a command to the shell that makes it persist until we send the input. Commands like ‘cat’ can help us achieve that.

Screenshot from 2017-07-23 17-17-54.png

As we can see above, we can read the password for the next level now.

Level 1

Username : narnia1
Password : efeidiedae
SSH : narnia.labs.overthewire.org:2226

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s