Level 6 Username : narnia6 Password : neezocaeng SSH : narnia.labs.overthewire.org:2226
To solve this level, we first ssh into the narnia server using the credentials provided above. Let’s have a look at the executable for this level and its source code.
As we can see above, the executable removes all the environment variables and arguments greater than 3 (argument 1 is the the executable call and arguments 2 and 3 are the two arguments passed to the executable). I was a little confused by the following line:
int (*fp)(char *)=(int(*)(char *))&puts
After refreshing my knowledge on pointers, I understood that the code is a function pointer initialized to point to puts(). Therefore whatever is passed to fp is simply printed on the console. As we know the strcpy is a vulnerable function to buffer overflow, let’s see if we can exploit it.
As we can see above, we can overflow the buffer and overwrite the return pointer. As we cannot utilize arguments and environment variable, we need to find a different way of gaining access to a shell. At this point, I decided to try and put a shellcode in the second argument in the hopes of being able to call that address by overflowing the argumnt 1 variable. However, since the length of the buffer is only 8 bytes, I ended up overflowing space allocated for argument 1 and replaced the return address with a word in the shellcode.
So now that we know that we cannot provide/store the shellcode in the executable, we need to think of a different way of exploiting it. Let’s look at the following code:
The code calls the system() function to execute ‘ls -l‘. Let’s now have a look at the internal workings of it in GDB.
As we can see above, right before the call to the system module is made, the command is pushed on the stack. Therefore, if we can call the system() function and pass ‘/bin/sh‘ to it, we might be able to access a shell.
As we can see above, we first find the address of the system() function and then pass our string ‘/bin/sh’ to it.
Level 7 Username : narnia7 Password : ahkiaziphu SSH : narnia.labs.overthewire.org:2226