Narnia · OverTheWire

Narnia Level 4 → Level 5

Level 4

Username : narnia4
Password : thaenohtai


To solve this level, we first ssh into the narnia server using the credentials provided above. Let’s have a look at the executable for this level and its source code.


Screenshot from 2017-08-01 21-32-46.png

8-1-2017 9-33-27 PM.png

As we can see above, the executable doesn’t respond to any data provided as an argument and merely just exits after it’s done executing the commands. On looking at the code, we can see that the executable changes the data of environment variable to a Null character, thereby removing any shellcode that might be sitting in an environment variable.

The last few lines of the code are used to copy an argument provided to the executable into a buffer. My first impression was to use an environment variable similar to the previous two levels and somehow exploit the strlen function to think that my shellcode size is smaller than it is and preserve the shellcode in the environment variable.

Screenshot from 2017-08-01 21-45-31.png

As we can see above, the executable removes the content of an environment variable. After messing with it for a few times, I decided to take a different approach and look into the buffer variable. The executable simply copies the content of the argument to the buffer variable without checking for limit bounds. Therefore, if we can exceed the bounds, we can potentially create a buffer overflow and re-write the return pointer to the address of our shellcode which would be provided in the argument to the executable. Let’s try to find out how many bytes are needed to overflow the buffer.

Screenshot from 2017-08-01 21-51-20.png

As we know the size of the buffer variable is 256 characters, I decided to start with 260 characters and proceed upwards until I find my first Segmentation Fault. As we can see above, after inputting 272 characters, the executable returned an ‘Illegal Instruction’. From what I’ve seen in my past experiences, when the base pointer of the previous function is overwritten and not the return pointer, the executable responds with this error message. Therefore, 4 more bytes over this will re-write the return pointer. At this point I decided to run the program in gdb and figure out the address of my buffer. We can see that the executable uses strcpy to copy data from the argument to the buffer. Therefore, I set a breakpoint after strcpy function to see where the data was copied.

Screenshot from 2017-08-01 21-58-34.png

As the executable loads the effective address of ‘$esp+0x1c’, I decided to jump to that location and see if that’s the address of the buffer variable. The argument value that I provided was there in the buffer. Therefore, my next step was to create a slide of NOP’s and put my shellcode in between.

Screenshot from 2017-08-01 22-23-30.png

As we can see above, by using the shellcode used in the previous levels, we were able to re-write the return pointer to our shellcode address.

Level 5

Username : narnia5
Password : faimahchiy

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s