Narnia (Over TheWire) Writeup
Narnia is a war game hosted on overthewire.org.
Narnia0
username : narnia0
password: narnia0
After connecting the host over ssh with port 2226 and key in the password, you’re logged in.
In the instructions, it says data for level can be found in /narnia/. Navigate to it using. cd ../../narnia. After you ls -la, you will be see a list of executable files. First open file with cat narnia0.c

In the above code, there’s an analogy to be explained. 0xdeadbeef. Normally, memory addresses are expressed either in integer or hexadecimal. After a few research, I found out that 0xdeadbeef a hexspeak. Details can be found here.

In plain terms, we need to crash the program because the above says only if val == 0xdeadbeef. It is going to set the user id in bin/sh.
It looks like doing buffer overflow exploitation to this program is a good thing.
To explain it in a layman’s term, unlike other programming languages such as Java,C#, processing user input in C++ is different. Be careful here. scanf is parsing user input not taking it. Here is a nice writeup. We are storing user’s input in buf (array with size 20). But when parsing the user input in scanf, we are allowing the length to be 24 which gonna totally overflow array buf.
Details about buffer overflow can be found in wiki page, here. The exploitation used can be found here.

Inferences:
- The address of main
Functionis0804855bin hex 18 in hex or 24 in decimalbytes are reserved for the local variables ofmainfunction.
804855f: 83 ec 18 sub $0x18,%esp3. The address of buffer starts 1c in hex or 28 in decimal bytes before %ebp. This means that 28 bytes are reserved for buffer even though we asked for 20 bytes.
8048583: 8d 45 e4 lea -0x1c(%ebp),%eax
Now we know that 28 bytes are reserved for buffer, it is right next to %ebp(the Base pointer of the main function). Hence the next 4 bytes will store that %ebp and the next 4 bytes will store the return address(the address that %eip is going to jump to after it completes the function). Now it is pretty obvious how our payload would look like. The first 28+4=32 bytes would be any random characters and the next 4 bytes will be the address of the val.
Note: Registers are 4 bytes or 32 bits as the binary is compiled for a 32 bit system.
We want the address of the val to be deadbeef in hex. Now depending on whether our machine is little-endian or big-endian we need to decide the proper format of the address to be put. For a little-endian machine we need to put the bytes in the reverse order. i.e. ef be ad de.
So the payload will be:
(python -c 'print "A"*20+"\xef\xbe\xad\xde"'; cat) | ./narnia0After that ask for userid with whoami. It should say narnia1. Grab the password with
cat /etc/narnia_pass/narnia1And then password would be efeidiedae.
Hope you enjoy the article and see you in next article for narnia1.