March 25th I wrote about my experiences so far with the wargames at overthewire.org. After writing that, I decided that it was time to solve the Narnia wargame.
Levels 0 through 4 lets you practice buffer overflow techniques. Fairly easy to solve if you read Smashing the stack for fun and profit. Level 3 requires a bit of outside-the-box thinking.
Levels 5 is a simple intro to format string vulnerabilities. It's also fairly easy to solve, if you read any paper about format string vulnerabilities. ;-)
Level 6 bugged me very much, since I didn't think enough outside the box. Actually, I got so frustrated, that I decided to leave narnia6 alone for a while and try my luck on Natas (I'll get back to that later).
Level 7 was another format string exercise. It gave me quite a lot of trouble, but then I read this PDF file and by playing around with the format string I eventually solved it. I used more than a week on this level, but solved it eventually. I need more practice with exploiting format strings! :-P
Level 8 was another hard nut to crack for me. I had a clear idea about what needed to be done, but couldn't get it to work. After a couple of weeks, I gave in and searched for a solution on Google. After figuring out that a certain address was stored two times on the stack, everything came together and the level was solved.
My thought about Narnia
This was a great wargame for a beginner! The levels get increasingly harder andI learned a lot during the time I spent working my way trough the levels. Also, it is really awarding when you get to do a victory dance, celebrating your new found knowledge. :-P The only downside is, that the level descriptions are missing.. A couple of hints now and again would be very helpful, but I think somebody is working on that.
Natas is about server side web (http) attacks. It covers quite a few techniques, such as file inclusions, (blind) SQL injections, abusing parameters and much more. It was very fun, and a nice break from Narnia. I think people developing web apps should solve this wargame, it will surely teach them something about web application security. Quick tip: Level 16->17 requires you to use newlines, so figure out how to put them in an URL.
All in all, a couple of very fun wargames! I recommend that people interested in programming, computer security or computers in general try their luck with these two. You might learn something. Also, I don't consider it cheating that I had to look at a solution for Narnia8. After all, I'm doing this to learn and I would get nowhere if I didn't look for new knowledge. :-)
Written by Jannich Brendle fre 17 maj 2013 In Security