Narnia · OverTheWire

Narnia Level 2 → Level 3

Level 2

Username : narnia2
Password : nairiepecu
SSH : narnia.labs.overthewire.org:2226

Solution

To solve this level, we first ssh into the narnia server using the credentials provided above. Let’s have a look at the executable for this level and its source code.

Screenshot from 2017-07-27 12-54-49.png

7-27-2017 12-53-45 PM.png

As we can see, the executable copies the argument into a buffer and then prints it. The buffer size allocated is 128 characters. Therefore, if we can overflow the buffer by inserting more bytes than the executable expects, we can re-write the instruction pointer (EIP) to execute our shellcode. This level is very similar to the last level, however, this time around, the executable does not run our shellcode. We need to place our shellcode at a location whose address we are aware of and the executable can jump to it. In this scenario, I can think of two easy ways to solve this:

  1. Put the shellcode in the buffer and then jump to it after finding it’s address.
  2. Put the shellcode in an environment variable and jump to that address.

Since this level is very similar to the previous level, I decided to use environment variable to execute the shellcode. In the previous level, the executable executed our shellcode within the variable, however, this time around, we will need to replace the return pointer to jump to our shellcode address.

Let’s first determine after how many bytes does the executable overflows the return pointer.

Screenshot from 2017-07-28 15-43-35.png

As we can see above, the return pointer is overwritten after 140 characters. Therefore, we need to input our shellcode address after 140 characters.

Screenshot from 2017-07-28 15-40-09.png

Using the above programs, we will now create a simple python script to overflow the return pointer with the address returned by findeggaddr executable.

Screenshot from 2017-07-28 15-51-12.png

As we can see above, despite having an address for the shellcode, the executable throws a Segmentation Fault error with no core dump. At this point, to evaluate the core, I decided to make a copy of narnia2 executable in my temp directory and understand what’s happening behind the scene.

Screenshot from 2017-07-28 15-55-06.png

As we can see, the executable does return to our address, however, it still segment faults. Let’s see if our environment address is correct or not.

Screenshot from 2017-07-28 15-57-50.png

As we can see above, our address for EGG was incorrect and we can find the correct address by reading the environment variables inside gdb. After getting the correct value for shellcode address, we can execute narnia2 to get the password for the next level.

Level 3

Username : narnia3
Password : vaequeezee
SSH : narnia.labs.overthewire.org:2226

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s