This folder contains solutions for the Narnia wargame from OverTheWire.
very simple, insert 0xdeadbeaf after 20 bytes [level1.py]
{% include_relative scripts/level1.py %}
Flag: WDcYUTG5ul
we will use our shellcode shellcode.py
Flag: 5agRAXeBdG
first we can see it doesn’t have ASLR and run protection.
we will use our shellcode shellcode.py and store it in environment variable, then we will find the address of the environment variable using get_address.c
using the script we saw we override the return address after 132, so let’s insert the address of our environment variable.
Flag: 2xszzNl6uG
we will override the output file, this is the line we’ll run
python3 -c "print('/tmp/1/'+'a'*(32-len('/tmp/1/')) + 'output_file')"
notice my dir is /tmp/1.
then, we will run link the file that it outputs to the password file: ln -sf /etc/narnia_pass/narnia4 /tmp/1/aaaaaaaaaaaaaaaaaaaaaaaaaoutput_file
then, we will create the output file: touch output_file
and we need only to execute the binary: /narnia/narnia3 /tmp/1/aaaaaaaaaaaaaaaaaaaaaaaaaoutput_file
in one picture:
Flag: iqNWNk173q
we can see it doesn’t have ASLR and stack protection.
we’ve found using the begin of the script here [level5.py]
{% include_relative scripts/level5.py %}
that after 264 bytes we reach the ret-address.
now all left is to find the address of the buffer, play with the debugger to find it. notice it changes based on the length of the input you give it.
here can be found our injection: [level5.py]
{% include_relative scripts/level5.py %}
Flag: Ni3xHPEuuw
here we use basic format string attack, only change the address of the stack. here can be found our code: [level6.py]
{% include_relative scripts/level6.py %}
Flag: BNSjoSDeGL
we can see it doesn’t have ASLR but have stack protection.
in this level, we will call the system func with the command:/bin/sh, then it will execute this: system("/bin/sh")
first we need to find the address of system function, it being included during runtime via the libc.so.6. the range of the addresses there is at 0xf7......, and that’s what we need.
i use radare2, first i analyze it, start running it, and let it run until main. it is important to let it run, because otherwise it won’t load our desired shared library.
aaa; ood; dcu main
then, check the name of the loaded binaries, and finally search for symbols in our load library, and greping for system.
so, the (virtual)address of system on the RAM is 0xf7dcd430, let’s put it into the script,
[level7.py]
{% include_relative scripts/level7.py %}
Flag: 54RtepCEU0
we can see it doesn’t have ASLR but have stack protection.
the address we want to insert is the address of the hacked function: 0x804930f
the address we will override is the address of the ptr: 0xffffd218
they can be found here:
the python script for creating the payload can is here: [level8.py]
{% include_relative scripts/level8.py %}
Flag: i1SQ81fkb8
we can see it doesn’t have ASLR and no stack protection.
we will generate shellcode using the shellcode.py script
now we will load the shellcode into env variable:
export SHELLCODE=$(python3 shellcode.py)
we need to find the address of the env variable, using the get_address.c. notice to compile it with the -m32 flag, for example: gcc -m32 get_address.c -o get_address
we’ll try to override the address of printf and put there our address of shellcode.
as you can see, there is the buffer of bluh which is 20 bytes. then, the address of the buffer bok, then the of ebp, and then the ret-address.
after finding the address of the env variable, in our case: 0xffffd511, we need to insert it to the script that solves the challenge [level9.py]
{% include_relative scripts/level9.py %}
we need to play a bit with the script to find the right addres of bok, it might be a little different than the address in the debugger.
Flag: 1FFD4HnU4K