Narnia (Over TheWire) Writeup

Aung Kyaw Myint
Nov 7 · 3 min read

Narnia is a war game hosted on overthewire.org.

Narnia0

username : narnia0

password: narnia0

After connecting the host over ssh with port 2226 and key in the password, you’re logged in.

In the instructions, it says data for level can be found in /narnia/. Navigate to it using. cd ../../narnia. After you ls -la, you will be see a list of executable files. First open file with cat narnia0.c

In the above code, there’s an analogy to be explained. 0xdeadbeef. Normally, memory addresses are expressed either in integer or hexadecimal. After a few research, I found out that 0xdeadbeef a hexspeak. Details can be found here.

In plain terms, we need to crash the program because the above says only if val == 0xdeadbeef. It is going to set the user id in bin/sh.

It looks like doing buffer overflow exploitation to this program is a good thing.

To explain it in a layman’s term, unlike other programming languages such as Java,C#, processing user input in C++ is different. Be careful here. scanf is parsing user input not taking it. Here is a nice writeup. We are storing user’s input in buf (array with size 20). But when parsing the user input in scanf, we are allowing the length to be 24 which gonna totally overflow array buf.

Details about buffer overflow can be found in wiki page, here. The exploitation used can be found here.

Inferences:

  1. The address of mainFunction is 0804855b in hex
  2. 18 in hex or 24 in decimal bytes are reserved for the local variables of main function.
804855f:    83 ec 18    sub         $0x18,%esp

3. The address of buffer starts 1c in hex or 28 in decimal bytes before %ebp. This means that 28 bytes are reserved for buffer even though we asked for 20 bytes.

  • 8048583: 8d 45 e4 lea -0x1c(%ebp),%eax

Now we know that 28 bytes are reserved for buffer, it is right next to %ebp(the Base pointer of the main function). Hence the next 4 bytes will store that %ebp and the next 4 bytes will store the return address(the address that %eip is going to jump to after it completes the function). Now it is pretty obvious how our payload would look like. The first 28+4=32 bytes would be any random characters and the next 4 bytes will be the address of the val.

Note: Registers are 4 bytes or 32 bits as the binary is compiled for a 32 bit system.

We want the address of the val to be deadbeef in hex. Now depending on whether our machine is little-endian or big-endian we need to decide the proper format of the address to be put. For a little-endian machine we need to put the bytes in the reverse order. i.e. ef be ad de.

So the payload will be:

(python -c 'print "A"*20+"\xef\xbe\xad\xde"'; cat) | ./narnia0

After that ask for userid with whoami. It should say narnia1. Grab the password with

cat /etc/narnia_pass/narnia1

And then password would be efeidiedae.

Hope you enjoy the article and see you in next article for narnia1.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade