Narnia · OverTheWire

Narnia Level 6 → Level 7

Level 6

Username : narnia6
Password : neezocaeng
SSH : narnia.labs.overthewire.org:2226

Solution

To solve this level, we first ssh into the narnia server using the credentials provided above. Let’s have a look at the executable for this level and its source code.

Screenshot from 2017-08-12 16-27-23.png

8-12-2017 4-30-33 PM.png

As we can see above, the executable removes all the environment variables and arguments greater than 3 (argument 1 is the the executable call and arguments 2 and 3 are the two arguments passed to the executable). I was a little confused by the following line:

int (*fp)(char *)=(int(*)(char *))&puts

After refreshing my knowledge on pointers, I understood that the code is a function pointer initialized to point to puts(). Therefore whatever is passed to fp is simply printed on the console. As we know the strcpy is a vulnerable function to buffer overflow, let’s see if we can exploit it.

Screenshot from 2017-08-12 16-53-53.png

As we can see above, we can overflow the buffer and overwrite the return pointer. As we cannot utilize arguments and environment variable, we need to find a different way of gaining access to a shell. At this point, I decided to try and put a shellcode in the second argument in the hopes of being able to call that address by overflowing the argumnt 1 variable. However, since the length of the buffer is only 8 bytes, I ended up overflowing space allocated for argument 1 and replaced the return address with a word in the shellcode.

Screenshot from 2017-08-12 17-11-52.png

So now that we know that we cannot provide/store the shellcode in the executable, we need to think of a different way of exploiting it. Let’s look at the following code:

8-12-2017 5-34-43 PM.pngScreenshot from 2017-08-12 17-36-05.png

The code calls the system() function to execute ‘ls -l‘. Let’s now have a look at the internal workings of it in GDB.

Screenshot from 2017-08-12 16-23-17.png

As we can see above, right before the call to the system module is made, the command is pushed on the stack. Therefore, if we can call the system() function and pass ‘/bin/sh‘ to it, we might be able to access a shell.

Screenshot from 2017-08-12 19-27-48.png

As we can see above, we first find the address of the system() function and then pass our string ‘/bin/sh’ to it.

Screenshot from 2017-08-12 19-31-21.png

Level 7

Username : narnia7
Password : ahkiaziphu
SSH : narnia.labs.overthewire.org:2226

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s