Narnia · OverTheWire

Narnia Level 1 → Level 2

Level 1

Username : narnia1
Password : efeidiedae
SSH : narnia.labs.overthewire.org:2226

Solution

To solve this level, we first ssh into the narnia server using the credentials provided above. Let’s have a look at the executable for this level and its source code.

Screenshot from 2017-07-24 12-38-03.png

7-24-2017 12-43-10 PM.png

As we can see, the executable checks for the existence of an environment variable named ‘EGG’. To read more on environment variables, click here. Therefore, we need to create our shellcode and store it in the environment variable. The executable would then execute our shellcode for us. This would be a good point to read on Buffer Overflow if you’re unfamiliar with that. This link provides good information about it. Since we would be executing our shellcode from the environment variable, this link provides a really nice script to store our shellcode. Let’s now create our shellcode and store that in the ‘EGG’ environment variable.

Screenshot from 2017-07-25 12-49-48.png

As we can see above, we now have the shellcode. Let’s store this in the variable now.

Screenshot from 2017-07-25 12-57-17.png

Now that our shellcode is loaded, let’s execute ‘narnia1’

Screenshot from 2017-07-25 13-11-07.png

Level 2

Username : narnia2
Password : nairiepecu
SSH : narnia.labs.overthewire.org:2226
Narnia · OverTheWire

Narnia Level 0 → Level 1

Level 0

Username : narnia0
Password : narnia0
SSH : narnia.labs.overthewire.org:2226

Solution

To solve this level, we first ssh into the narnia server using the credentials provided above. Let’s have a look at the executable for this level and its source code.

Screenshot from 2017-07-23 14-21-21.png

7-23-2017 2-22-41 PM.png

As we can see, the executable declares a buffer for 20 characters. However, while scanning for the buffer, the executable allows up to 24 characters to be scanned in the buffer. Such a condition can result in buffer overflow. To read more on it, check this link. We can overflow the buffer to replace the value of variable ‘val’. We can replace the value to ‘0xdeadbeef’. I wrote the following script to see if we can overflow the buffer.

python -c 'print "A"*20+"\x10\x10\x10\x10"' | ./narnia0

Screenshot from 2017-07-23 16-14-32.png

As we can see, after passing 20 ‘A’ characters, the input overflows the buffer and replaces the value of ‘val’ to ‘0x10101010’ which are the last 4 input characters. Therefore, as we now know that we can overflow the buffer easily, let’s replace the value to ‘0xdeadbeef’.

Screenshot from 2017-07-23 16-15-02.png

As we can see above, the executable overflows the buffer, however, the shell closes before we have the opportunity to execute any commands. Therefore, we need to find a way to make the shell persist and not exit. To do that, we need to pass a command to the shell that makes it persist until we send the input. Commands like ‘cat’ can help us achieve that.

Screenshot from 2017-07-23 17-17-54.png

As we can see above, we can read the password for the next level now.

Level 1

Username : narnia1
Password : efeidiedae
SSH : narnia.labs.overthewire.org:2226
Krypton · OverTheWire

Krypton Level 3 → Level 4

Level 3

Username : krypton3
Password : CAESARISEASY
SSH : krypton.labs.overthewire.org:2222

Level Info

Well done. You’ve moved past an easy substitution cipher.

The main weakness of a simple substitution cipher is repeated use of a simple key. In the previous exercise you were able to introduce arbitrary plaintext to expose the key. In this example, the cipher mechanism is not available to you, the attacker.

However, you have been lucky. You have intercepted more than one message. The password to the next level is found in the file ‘krypton4’. You have also found 3 other files. (found1, found2, found3)

You know the following important details:

The message plaintexts are in English (*** very important) – They were produced from the same key (*** even better!)
Enjoy.

Solution

To solve this level, we first ssh into the krypton3 server using the credentials provided above.

Screenshot from 2017-07-20 22-38-00.png

Screenshot from 2017-07-20 22-38-26.png

We can see the content of the files and the hints given. On looking into the frequency of letters in english text, I came across the following image:

7-21-2017 1-47-52 PM.png

To understand the frequency of letters in the found files, I wrote a small python module to find it.

Screenshot from 2017-07-21 13-42-23.png

As we can see above, the letter “S” seems to be the most occurring letter in all the three files followed closely by letters “Q” and “J”. While searching for most common two letter words in english, I came across this link.  Based on this, we now know the frequency of two letter words and three letter words. We can use this information to complete a mapping of ciphertext letters to plaintext letters.

Ciphertext    : a b c d e f g h i j k l m n o p q r s t u v w x y z
Plaintext     : b o i h g k n q v t w y u r x z a j e m s l d f p c

Based on the above mapping, we can decrypt the password file.

” WELL DONE THE LEVEL FOUR PASSWORD IS BRUTE ”

Level 4

Username : krypton4
Password : BRUTE
SSH : krypton.labs.overthewire.org:2222 
Krypton · OverTheWire

Krypton Level 2 → Level 3

Level 2

Username : krypton2
Password : ROTTEN
SSH : krypton.labs.overthewire.org:2222

Level Info

ROT13 is a simple substitution cipher.

Substitution ciphers are a simple replacement algorithm. In this example of a substitution cipher, we will explore a ‘monoalphebetic’ cipher. Monoalphebetic means, literally, “one alphabet” and you will see why.

This level contains an old form of cipher called a ‘Caesar Cipher’. A Caesar cipher shifts the alphabet by a set number. For example:

plain: a b c d e f g h i j k …
cipher: G H I J K L M N O P Q …
In this example, the letter ‘a’ in plaintext is replaced by a ‘G’ in the ciphertext so, for example, the plaintext ‘bad’ becomes ‘HGJ’ in ciphertext.

The password for level 3 is in the file krypton3. It is in 5 letter group ciphertext. It is encrypted with a Caesar Cipher. Without any further information, this cipher text may be difficult to break. You do not have direct access to the key, however you do have access to a program that will encrypt anything you wish to give it using the key. If you think logically, this is completely easy.

One shot can solve it!

Have fun.

Additional Information:

The encrypt binary will look for the keyfile in your current working directory. Therefore, it might be best to create a working direcory in /tmp and in there a link to the keyfile. As the encrypt binary runs setuid krypton3, you also need to give krypton3 access to your working directory.

Here is an example:

krypton2@melinda:~$ mktemp -d
/tmp/tmp.Wf2OnCpCDQ
krypton2@melinda:~$ cd /tmp/tmp.Wf2OnCpCDQ
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ln -s /krypton/krypton2/keyfile.dat
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ls
keyfile.dat
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ chmod 777 .
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ /krypton/krypton2/encrypt /etc/issue
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ls
ciphertext keyfile.dat

Solution

To solve this level, we first ssh into the krypton2 server using the credentials provided above. We can see the files mentioned in the level information. To understand the working of the encryption executable, let’s follow the steps mentioned above.

Screenshot from 2017-07-20 16-50-45 - Copy.png

As we can see above, I created a temporary file which contains the english alphabet. We’ll now use this file as the plaintext to understand how the encrypt executable works.

Screenshot from 2017-07-20 22-22-49.png

As we can see, the encryption is ROT-12, therefore, we can create a script similar to the last level to decrypt the krypton3 password file.

Screenshot from 2017-07-20 22-24-45.png

Level 3

Username : krypton3
Password : CEASARISEASY
SSH : krypton.labs.overthewire.org:2222 
Krypton · OverTheWire

Krypton Level 1 → Level 2

Level 1

Username : krypton1
Password : KRYPTONISGREAT
SSH : krypton.labs.overthewire.org:2222

Level Info

The password for level 2 is in the file ‘krypton2’. It is ‘encrypted’ using a simple rotation. It is also in non-standard ciphertext format. When using alpha characters for cipher text it is normal to group the letters into 5 letter clusters, regardless of word boundaries. This helps obfuscate any patterns. This file has kept the plain text word boundaries and carried them to the ciphertext. Enjoy!

Solution

To solve this level, we first ssh into the krypton1 server using the credentials provided above.

Screenshot from 2017-07-20 13-07-48.png

As the level information mentioned that the encryption is a simple rotation, my first impression was to try the ROT13 cipher. ROT13 (“rotate by 13 places”, sometimes hyphenated ROT-13) is a simple letter substitution cipher that replaces a letter with the letter 13 letters after it in the alphabet. ROT13 is a special case of the Caesar cipher, developed in ancient Rome. For more information on ROT13, read this page.

To solve this, I am going to utilize the ” tr ” command to implement a ROT13 cipher. Therefore, “A” would map to “N” and “Z” would map to “M”. The mapping for lower-case alphabets would be similar.

Screenshot from 2017-07-20 13-09-08.png

As we can see in the image above, the password for the next level is ” ROTTEN “. If the password wasn’t a ROT13 cipher, we would have tried other ROTn substitution ciphers to find the password.

Level 2

Username : krypton2
Password : ROTTEN
SSH : krypton.labs.overthewire.org:2222 
Krypton · OverTheWire

Krypton Level 0 → Level 1

Level 0

Username : krypton0
Password : Tith4cokei
SSH : krypton.labs.overthewire.org:2222

Level Info

Welcome to Krypton! The first level is easy. The following string encodes the password using Base64: S1JZUFRPTklTR1JFQVQ=
Use this password to log in to krypton.labs.overthewire.org with username krypton1 using SSH on port 2222. You can find the files for other levels in /krypton/.

Solution

As we know that the password for the next level is the base64 decoding of the string provided, we can run the decoder on it and find the password.

Screenshot from 2017-07-19 22-55-32.png

Level 1

Username : krypton1
Password : KRYPTONISGREAT
SSH : krypton.labs.overthewire.org:2222 
Leviathan · OverTheWire

Leviathan Level 6 → Level 7

Level 6

Username : leviathan6
Password : Tith4cokei
SSH leviathan.labs.overthewire.org:2223

Solution

To solve this level, we first ssh into the leviathan6 server using the credentials provided above.

Screenshot from 2017-07-19 15-03-37.png

As we can see, the server contains an executable which requires a 4 digit code and probably compares it with something. If the number matches what the executable expects, we will hopefully be able to access our password file. Let’s run gdb on the executable to learn more about it. The application uses function atoi() and then compares the value returned with our input. If we can learn the number, we can enter the same number and allow the executable to proceed further.

Screenshot from 2017-07-19 14-50-33.png

As we can see, the number is 7123. Let’s see what happens if we use that number in the argument.

Screenshot from 2017-07-19 14-46-36.png

As we can see, the executable logs us in as leviathan7 and now we can access the password file.

Level 7

Username : leviathan7
Password : ahy7MaeBo9
SSH : leviathan.labs.overthewire.org:2223