March 25th I wrote about my experiences so far with the wargames at
overthewire.org. After writing that, I decided that it was time to solve
the Narnia wargame.
Levels 0 through 4 lets you practice buffer overflow techniques. Fairly
easy to solve if you read Smashing the stack for fun and profit.
Level 3 requires a bit of outside-the-box thinking.
Levels 5 is a simple intro to format string vulnerabilities. It's also
fairly easy to solve, if you read any paper about format string
Level 6 bugged me very much, since I didn't think enough outside the
box. Actually, I got so frustrated, that I decided to leave narnia6
alone for a while and try my luck on Natas (I'll get back to that
Level 7 was another format string exercise. It gave me quite a lot of
trouble, but then I read this PDF file and by playing around with
the format string I eventually solved it. I used more than a week on
this level, but solved it eventually. I need more practice with
exploiting format strings! :-P
Level 8 was another hard nut to crack for me. I had a clear idea about
what needed to be done, but couldn't get it to work. After a couple of
weeks, I gave in and searched for a solution on Google. After figuring
out that a certain address was stored two times on the stack, everything
came together and the level was solved.
My thought about Narnia
This was a great wargame for a beginner! The levels get increasingly
harder andI learned a lot during the time I spent working my way trough
the levels. Also, it is really awarding when you get to do a victory
dance, celebrating your new found knowledge. :-P The only downside is,
that the level descriptions are missing.. A couple of hints now and
again would be very helpful, but I think somebody is working on that.
Natas is about server side web (http) attacks. It covers quite a few
techniques, such as file inclusions, (blind) SQL injections, abusing
parameters and much more. It was very fun, and a nice break from Narnia.
I think people developing web apps should solve this wargame, it will
surely teach them something about web application security. Quick tip:
Level 16->17 requires you to use newlines, so figure out how to put
them in an URL.
All in all, a couple of very fun wargames! I recommend that people
interested in programming, computer security or computers in general try
their luck with these two. You might learn something. Also, I don't
consider it cheating that I had to look at a solution for Narnia8. After
all, I'm doing this to learn and I would get nowhere if I didn't look
for new knowledge. :-)