\/narnia\/<\/code>. Using the password we obtained in Narnia 0, we can now login as user narnia1<\/code> and change to the narnia directory. Then reviewing the source code and the binary, we can determine how to exploit this particular level. Let’s get started. <\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/narnia1-login.png?resize=878%2C700&ssl=1\")
<\/figure>\n\n\n\nWhen listing the directory we can see all levels of Narnia. The concern of this walkthrough is narnia1.c<\/code> and narnia1<\/code>. Viewing this directory listing we can see that narnia1<\/code> when executed runs as the user narnia2 and is executable by the user narnia1. Running .\/narnia1<\/code>we see the response “Give me something to execute at the env-variable EGG”. With this we can gleam some information from it’s output. Env-Variable<\/a> is expecting the environment variable EGG<\/code> to contain data. Let’s break down the source code.<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/narnia1-execute.png?resize=852%2C121&ssl=1\")
<\/figure>\n\n\n\nSource code and breakdown<\/h3>\n\n\n\n
cat<\/code> is an essential tool for any Linux distribution and can assist users in reading files. This in turn allows us to read the narnia1.c<\/code> source file. Running the command cat narnia1.c<\/code> from the \/narnia\/<\/code> directory we get the following source code.<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/narnia1-source_code-no_comment.png?resize=977%2C503&ssl=1\")
cat \/narnia\/narnia1.c -<\/code>Source code minus the narnia comments.<\/figcaption><\/figure>\n\n\n\nIf you’ve never seen the C programming language before it might be a little foreign to you. Let’s break it down line by line and hopefully get an idea of what’s happening in our binary. I have copied the code to VSCode<\/a> for ease of commenting.<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/image-14.png?resize=852%2C39&ssl=1\")
Lines 1-2<\/figcaption><\/figure>\n\n\n\nThe #include <stdio.h><\/code> is used to import all standard input and output functions defined in the stdio header file, such as printf<\/code>and NULL<\/code>.<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/image-11.png?resize=852%2C21&ssl=1\")
Line 3<\/figcaption><\/figure>\n\n\n\nEvery C program has a main()<\/code> function and is the entry point of the binary once the source code has been compiled. Within main<\/code> is where we get to the real meat of the program.<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/image-15.png?resize=852%2C42&ssl=1\")
Lines 3-4<\/figcaption><\/figure>\n\n\n\nWithin main()<\/code> we see the above code which declares the ret()<\/code>function as a prototype to use further down in the code. Because C programming is procedural, defining it first will save us from an error upon compilation. Now let’s visit the if<\/code> statement.<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/image-16.png?resize=852%2C78&ssl=1\")
Lines 6-9<\/figcaption><\/figure>\n\n\n\nThe above 4 lines of code are a conditional statement<\/a> and will execute a specific set of instructions in the code. This case it is pulling in the environment variable “EGG”, if it is empty, or rather NULL<\/code> in this case, it will print “Give me something to execute at the env-variable EGG” and exit(1)<\/code> will then exit the program.<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/image-17.png?resize=852%2C134&ssl=1\")
Lines 10-16<\/figcaption><\/figure>\n\n\n\nIf the environment variable “EGG” has data, the conditional statement covered in lines 6-9 will be skipped and will then print “Trying to execute EGG!”. The program will assign the data in the environment variable “EGG” into ret<\/code>, then execute the data, and then exit.<\/p>\n\n\n\nHopefully with all that explained above we can start diving into exploiting the narnia1<\/code> binary using what we’ve gathered from the code breakdown.<\/p>\n\n\n\nDebugging and Analysis<\/h3>\n\n\n\n
Leaving the “EGG” environment variable empty we receive the expected output based on the code review. But what happens when we give it something to execute. To set an environment variable in Linux we can run the simple command export EGG=cd<\/code>. To view the env variable we just set, run echo $EGG<\/code>.<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/narnia1-envvar-cd.png?resize=574%2C133&ssl=1\")
Setting ‘cd’ as our env variable for EGG<\/figcaption><\/figure>\n\n\n\nWith data now set on variable “EGG”, we can now run .\/narnia1<\/code> and see what happens.<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/narnia1-execute-cd.png?resize=492%2C125&ssl=1\")
<\/figure>\n\n\n\nLook at that, we have a “Segmentation fault”. This means we have an abnormal condition that caused the program to exit. Lucky for us, GDB is on the narnia host, loading the binary into gdb using gdb narnia1<\/code> we can start looking at what the binary is doing. Once gdb has loaded, we can run the command disassemble main<\/code> which is going to print the memory addresses and assembly code for everything happening in the main()<\/code> function we saw above. <\/p>\n\n\n\n![\"\"](\"https:\/\/i1.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/image-19.png?fit=750%2C868&ssl=1\")
(gdb) disassemble main<\/code><\/figcaption><\/figure>\n\n\n\nYour memory addresses will differ so refer to the image above for the rest of the article. From memory address 0x08048476<\/code> to 0x0804848f<\/code> this is the conditional statement discussed previously that prints a msg to the screen and exits the program if “EGG” has no data. Since we have data in the “EGG” variable it will be skipped and move to the 0x0804849b<\/code> memory location where it will print “Trying to execute EGG!” to the console. Moving down to memory address 0x080484a8<\/code> through 0x080484b3<\/code>, this is where the program calls getenv(“EGG”) in the program, makes space on the stack, and assigns the data in “EGG” to the EAX<\/a> register. Looking at the 0x080484b6<\/code> memory address we see the program calling *%eax<\/code> which is the ret() function being executed. Our first stop to see whats happening is to set a break point on that call and see what is on the stack.<\/p>\n\n\n\nUsing the memory address of eax, we set a breakpoint. This will allow us to stop program execution as the environment variable “EGG” is put on the stack. Set your breakpoint on the (gdb) prompt using break *0x080484b6<\/code>. Then proceed to run the command by simply typing run<\/code>at the (gdb) prompt. The program should stop at the set breakpoint.<\/p>\n\n\n\n![\"\"](\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/narnia1-gdb-run.png?resize=752%2C243&ssl=1\")
(gdb) run<\/code><\/figcaption><\/figure>\n\n\n\nThis allows some analysis of the stack. While we are stopped on the 0x080484b6<\/code>memory address, let’s view what’s on the stack at that address. Using the x\/25x $eax<\/code> command we can see (in hex) the next 25 values that are set for the eax register.<\/p>\n\n\n\n![\"\"](\"https:\/\/i1.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/narnia1-gdb-x25x_eax.png?fit=750%2C195&ssl=1\")
(gdb) x\/25x $eax<\/code><\/figcaption><\/figure>\n\n\n\nLooking at the first address on the left (0xffffdea7<\/code>), we see the first value 0x5f006463<\/code>. If we convert this from hex to ascii, we can see the last two bytes 64<\/code> and 63<\/code> convert to d<\/code> and c<\/code> respectively. If you recall from earlier, we made our “EGGS” variable equal to cd<\/code>, with memory being in little-endian format this matches our environment variable data. Knowing that .\/narnia1<\/code> is executable by user narnia1 and runs as user narnia2, let’s use this ability to put data on the stack to get a shell as user narnia2.<\/p>\n\n\n\nExploit<\/h3>\n\n\n\n
We know that shellcode is what we are after since we want to spawn a shell as user narnia2. The site shell-storm.org<\/a> has a plethora of different OS shellcodes available. Running uname -a<\/code> we can see the host is an x86_64 bit based OS so any x86 or x86_64 shells are possibly usable. After a few frustrating shellcode tests and failures later, I found shellcode-607<\/a> worked wonderfully. Within this page is the hex code we are after. Copying the shellcode value and removing any quotes in the value, we end up with something like \\xeb\\x11\\x5e\\x31\\...\\x8a\\xe2\\xce\\x81<\/code>. Using this information we can now prepare our exploit. To place our shellcode into the “EGG” variable we use python to get the hexcode in an acceptable format.<\/p>\n\n\n\n![\"\"](\"https:\/\/i2.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/narnia1-shellcode-python.png?fit=750%2C81&ssl=1\")
<\/figure>\n\n\n\nWith our environment variable set, we can now execute the .\/narnia1<\/code> binary and get the password for user narnia2.<\/p>\n\n\n\n![\"\"](\"https:\/\/i2.wp.com\/hackmethod.com\/wp-content\/uploads\/2019\/02\/narnia1-shell-1.png?fit=750%2C144&ssl=1\")
<\/figure>\n\n\n\nIf you missed out on Narnia Level 0 click the button on the left to check it out. If you’re all caught up and want to see more, check out the Narnia Level 2 by clicking the button on the right. <\/p>\n\n\n\n
\n\n