Published on

Over The Wire - Leviathan

Level 0

ssh -p 2223

Find the password by searching hidden directories and then greping for the name of the next challenge in files.

grep leviathan1 bookmarks.html

Level 1

We have a bin file owned by leviathan2

ssh -p 2223

ltrace prints the function calls which script invokes. It analyzes the program.

Afterwards we see a hardcoded output.

If we run the file again and then enter the hardcoded password we'll see we've switched users.

Now we can check for the password inside of `/etc/leviathan_pass?leviathan2

Level 2

ssh -p 2223

Exploit a flaw in the executable.

mktemp -d
touch /tmp/tmp.POGVtTjK6O/"pass file.txt"

ltrace ./printfile /tmp/tmp.POGVtTjK6O/"pass file.txt"

Link file which points to

ln -s /etc/leviathan_pass/leviathan3 /tmp/tmp.s7E8Gz5BRw/test
chmod 777 /tmp/tmp.s7E8Gz5BRw
./printfile /tmp/tmp.s7E8Gz5BRw/"test file.txt"

Level 3

ssh -p 2223
ltrace ./level3

Reading the output we see that the comparison password is hardcoded.


cat /etc/leviathan_pass/leviathan4

Level 4 - Analyze file for SUID binaries

ssh -p 2223
ls -al
cd .trash

echo 0100010101001011010010110110110001010100010001100011000101011000011100010111001100001010 | perl -lpe '$_=pack"B*",$_'

We notice .trash has elevated permissions so check it out. The same thing happens for .bin.

The output is clearly binary so with a search we parse it to ASCII

Level 5 -

ssh -p 2223

We notice the bin leviathan5 fails so we create the log file for which it complains after analyizing with ltrace.

touch /tmp/file.log
ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log

Create a link to leviathan6 from file.log which executes when we run the leviathan5 bin.

Level 6 - Hack password in register using gdb

ssh -p 2223

Debug the script at assembly level using gdb

gdb --args leviathan6 0000

View every assembly level instruction in the script.

disassemble main

Set a breakpoint

break *0x0804922a

Run the program


See what values are contained within the registers

info registers

Make the comparison like the command would and check the output

print $ebp-0xc
x 0xffffd4cc
print/d 0x00001bd3


Level 7 - Analyze file for SUID binaries

ssh -p 2223