OverTheWire — Narnia Walkthrough
Hello and welcome to a new series of tutorials! This time we’re going to explore security-related topics, and we’re going to use OvertheWire.org website to solve some challenges in order to get familiar with these concepts. We’ll start with Narnia, since it doesn’t have a high degree of complexity, but it isn’t the easiest level either. Narnia is a series of challenges that are using exploitation techniques in order to navigate between levels. To advance throughout the levels of the challenge, you will need to know how to take advantage of certain bugs and limitations that are intentionally spread across the scripts used to advance to higher levels.
Solving Narnia level 0–1
A *nix machine is required, or access to a bash shell. Also, basic programming knowledge is required to understand the scripts created for each level. Sometimes you will have to create a bash script for exploiting different vulnerabilities, so scripting knowledge is required as well.
To start solving the first challenge, you first need to connect to level 0. The connection is realized through secure shell. The authors are telling us that we need to connect to narnia.labs.overthewire.org using narnia0 username. The password for this user is also narnia0, but for the coming challenges, the passwords are different than the usernames, and we will have to solve some security puzzles in order to get these passwords. Also, the authors are saying that we need to use port 2226, so the syntax for connecting to the first level is the following: ssh email@example.com -p2226 The system will prompt us to insert the password. Insert narnia0. Voila, you’re now logged into narnia level.
Solving the challenge
The authors are not offering us any clue on how to solve this challenge. The only helpful information is that the data for solving the levels can be found in /narnia/. So let’s navigate there:
We input the ‘ll’ command to see what’s inside this directory. The system shows us the following:
So we have the first clue. Let’s run narnia0 using ltrace to see what we get:
Hmmm, let’s see the source file for this compiled file.
So we can see two variables here, var, which is instantiated to this hex value: 0x41414141 and a buffer array that can hold 20 characters., but 24 characters are allowed to be scanned for the buffer. Looking further, we can see that the objective is to transform the value stored by var, from 0x41414141 to 0xdeadbeef. But how can we do that?
Well, we need to somehow exploit scanf() function, but first, let’s see how this program is using the memory of the system.
As you probably know, all the programs are using a structure called the stack to store all the variables, arguments and instructions. The advantage of this feature is that all these elements are quickly retrieved for being used by the program.
Knowing this, we can use a technique called buffer overflow, where we can overflow the buffer in order to change the value stored in val on the stack.
To check if this works, let us run a script for inputting 20 A’s into the buffer, followed by a sequence of shellcode: \x11\x22\x30.
I will use Python to create this script:
python -c ‘print “A”*20+”\x11\x22\x30"’ | ./narnia0
As you can see, we pipe the output of our python script directly into the ./narnia0 compiled file.
The result of this script is the following:
Now we have the password for Narnia1 level. Try and see if you can login using the same command used at the beginning of this article:
ssh firstname.lastname@example.org -p2226
Input the password got from the previous level, and you will see that a new level is started.
Thank you for choosing this tutorial for solving this security challenge! If any questions/suggestions, please leave comment.