This one is a fairly simple level. As you can see from the image below

There is a value that is initialized at 0x41414141 and you need to change it to deadbeef. The buffer can hold a maximum of 20 characters. So in order to overflow the buffer and go into changing the value of val, you just need to input 20 characters and put \xef\xbe\xad\xde\, which is how deadbeef has to be put in because of little endianness

Making the python script was fairly simple for this too. All you have to do is make the ssh connection, execute the file and send the payload which is A*20 + the little endian of deadbeef(which can be done very easily by using the p32 command in pwntools). Fortunately for us pwntools allows us to do all those really fast. For running the file, you need to use the run command in pwntools, and then do recvuntill(':') because you want to receive the code untill it asks for input. And then you send the payload by using the sendline command in pwntools. The output from running the pwntools is given below

Here's the link to the script for Narnia0

This level mainly deals with the environment variables

As you can see from the code above, all this executable file does is call the environment variable EGG

We can easily change the environment value of EGG and call it to execute commands as you can see in the image below. So to complete this level we just need to put a shell code as the value for egg. You can find a bunch of shell codes at shell-storm

In order to write our python script we need to do just that. Our payload has to be export EGG="shellcode" and then we need to run the narnia1 executable after that. The output from my script is given below

Here's the link to the script for Narnia1

This level mainly deals with buffer overflow

As you can see from the code above, all this executable file does is copy the argv[1] into buf variable(that can hold 128 chars) and then prints out the buf. Important to note that strcpy can be expoited by buffer overflows

So for this level, all we would need to do is pass in an argument that overflows the buf, inserts a shell code into it, and then has a return "Sled" at the end.

Let's look at what's happening in the picture above. So i tried running the file with 128 'A's, and it executed properly. Then i tried running it with 133 'A's and it gave me a SIGSEGV signal, which is what we kind of want, so we are getting there. Then i tried running it with 136 'A's and it gave me a SIGSEGV again, but notice how the return address was changed from 0xf7e20048 to 0x41414141. 0x41 is 'A' btw. So the return address is somewhere above 136 or is 136. It turned out to be in 136. After a bunch of tries putting the value 0xdeadbeef(which is 4 bytes long), I found that 132 works since you can see that the 0x41414141 has changed into 0xdeadbeef. So 132 is what we want, however you have to take into account the shell code, which for the one i used is 28 chars long. So when inserting the shell code it has to be 132-28 'A's printed and then the shell code which is 28 chars and then the return address.Now how do we find what the return address is.

Now let's look at the above picture. We are looking at the memory addresses of the esp register. We can get our return address from here. Look at all the 0x41 aka 'A's that are there. I used 0xffffd890 as my return address

I was kind of having trouble writing the script for this one because of my inexperience with using pwntools. At first I tried making the payload=A*104+ exe + shellcode + return_address, which is what needs to be run. But it wasn't working. So i gave in and put in the python commands in string. It didn't work still but then I noticed I wasn't escaping the backslash in the strings. Because of that it was giving a different output than \x90\xd8\xff... But anyways after doing that it worked :), and here's the output below

Here's the link to the script for Narnia2

In order to complete this level you must know how to symlink files and also know buffer overflow

Looking at the code above, it looks more complicated than the others. However, take a closer look and you'll notice the strcpy function is vulnerable. If you remember from the last level, the strcpy was the one function we exploited. It's vulnerable because it doesn't check for the amount of chars that is being input into it. Now what does the strcpy in the code do? It copies argv[1] into the ifile variable(which has a size of 32). And then afterwards it checks to see if the file can be read and openned. If it can be read and openned then it just copies it's contents to /dev/null

In order to exploit the code we need to overwrite the contents of ifd to point towards one of our own file. So just make a file in the tmp directory. Now how do you overwrite data to point towards ifd?. You need 32 chars minus the /tmp/ directory. So it becomes 32-5= 27. So you need 27 chars + /tmp/ + filename to be what's input into the executable. Make a 27 char long dir and then make a tmp dir there. Afterwards you must symlink a file in the tmp dir with the same name as the one you created at the beginning. Symlink it to /etc/narnia_pass/narnia4 because the executable has permission to read that file and that's we need. Run the file with the tmp dir and the executable and you should get the file.

The picture above shows my script being run. To make the script i basically put all those commands into a payload string seperated by ";" after every command. I made a bunch of variables for the filename, the overflow, directory name, the name of executable and the filepath that will be run at the end. I used the cyclic function instead of the a*27 command in python because at the beginning of my script it removes all files and dir that is being used(to prevent errors such as "file already exists"). I used cyclic because I did not want to overwrite remove the more common directories that get used. The exploit of the code is basically the same as the others. Open the shell, read the code for the level(you can skip this), send the payload to the shell and then cat the password, and then put it in interactive mode(this one isn't like the others because you're still running as narnia3 but you know the password so you can ssh into narnia3). I wasted a long time on this script because I forgot to put narnia3 on the executable(I am dumb).

Here's the link to the script for Narnia3