Narnia · OverTheWire

Narnia Level 3 → Level 4

Level 3

Username : narnia3
Password : nairiepecu
SSH : narnia.labs.overthewire.org:2226

Solution

To solve this level, we first ssh into the narnia server using the credentials provided above. Let’s have a look at the executable for this level and its source code.

Screenshot from 2017-07-31 19-07-20.png

7-31-2017 7-08-58 PM.png

As we can see above, the executable reads a file that user provides and copies its content to ‘/tmp/null‘. ‘/tmp/null‘ is a special file that discards all data written to it but reports that the write operation succeeded. For more information on it, read this wikipedia page.

On a first pass at the C code, we can see that it utilizes the vulnerable strcpy function with no check on size limits. The allocation for an input file name is 32 bytes and the output file is 16 bytes. Let’s look at the code in a debugger.

Screenshot from 2017-07-31 19-17-01.png

We can see above that the executable copies the string name stored at 0x58(%esp) first and then the string name stored at 0x38(%esp). Both these locations probably store the file names to be opened. Therefore, we can conclude that if we overflow the buffer for input file name, we can modify the name for output file as well and possibly change it to something other than the null device.

Let’s confirm this theory by providing a filename more than 32 characters and breaking the flow in gdb before the files are opened.

Screenshot from 2017-07-31 19-26-27.png

As we can see, there are two breakpoints set and a long filename passed to the executable. At the first breakpoint which is right before the output file is opened, the value is set to “7890” and we can see in the next few statements that the file tried to be opened is “7890” which is 32 characters after our input file name. Therefore, we are successfully able to change the output file name. Let’s create a file “7890” and see how the input file looks like at the second breakpoint.

Screenshot from 2017-07-31 19-28-13.png

As we can see, the input filename is the one we provided to the executable. Therefore, now we control the input file and the output file. Let’s provide the executable an input file which contains or references the password and an output file which we control.

To solve this, I created a folder within /tmp called Narnia0003 and a folder within it called SecurityTimes003. The total length of the following string is 32 bytes.

/tmp/Narnia0003/SecurityTimes003

Therefore, anything that follows the above path will overwrite the output file. To solve that, I created an output file within /tmp named output. I also created an input file named output within a folder named tmp  which nests under /tmp/Narnia0003/SecurityTimes003. If we symbolically link this file to the password file, we can use it as the input file and the output file will be re-written to /tmp/output which is a file we can view.Screenshot from 2017-07-31 19-38-18.png

As we can see above, the executable updates the output file to our file and prints the password for the next level in it.

 

Level 4

Username : narnia4
Password : thaenohtai
SSH : narnia.labs.overthewire.org:2226

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s