- Published on
Over The Wire - Leviathan
Level 0
ssh leviathan0@leviathan.labs.overthewire.org -p 2223
leviathan0
Find the password by searching hidden directories and then greping for the name of the next challenge in files.
grep leviathan1 bookmarks.html
Level 1
We have a bin file owned by leviathan2
ssh leviathan1@leviathan.labs.overthewire.org -p 2223
PPIfmI1qsA
ltrace
prints the function calls which script invokes. It analyzes the program.
Afterwards we see a hardcoded output.
If we run the file again and then enter the hardcoded password we'll see we've switched users.
Now we can check for the password inside of `/etc/leviathan_pass?leviathan2
Level 2
ssh leviathan2@leviathan.labs.overthewire.org -p 2223
mEh5PNl10e
Exploit a flaw in the executable.
mktemp -d
touch /tmp/tmp.POGVtTjK6O/"pass file.txt"
ltrace ./printfile /tmp/tmp.POGVtTjK6O/"pass file.txt"
Link file which points to
ln -s /etc/leviathan_pass/leviathan3 /tmp/tmp.s7E8Gz5BRw/test
chmod 777 /tmp/tmp.s7E8Gz5BRw
./printfile /tmp/tmp.s7E8Gz5BRw/"test file.txt"
https://www.unix.com/tips-and-tutorials/19060-unix-file-permissions.html
Level 3
ssh leviathan3@leviathan.labs.overthewire.org -p 2223
Q0G8j4sakn
ltrace ./level3
Reading the output we see that the comparison password is hardcoded.
./level3
snlprintf
cat /etc/leviathan_pass/leviathan4
Level 4 - Analyze file for SUID binaries
ssh leviathan4@leviathan.labs.overthewire.org -p 2223
AgvropI4OA
ls -al
cd .trash
./bin
echo 0100010101001011010010110110110001010100010001100011000101011000011100010111001100001010 | perl -lpe '$_=pack"B*",$_'
We notice .trash
has elevated permissions so check it out. The same thing happens for .bin
.
The output is clearly binary so with a search we parse it to ASCII
Level 5 -
ssh leviathan5@leviathan.labs.overthewire.org -p 2223
EKKlTF1Xqs
We notice the bin leviathan5
fails so we create the log file for which it complains after analyizing with ltrace.
touch /tmp/file.log
./leviathan5
ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
./leviathan5
Create a link to leviathan6
from file.log
which executes when we run the leviathan5
bin.
Level 6 - Hack password in register using gdb
ssh leviathan6@leviathan.labs.overthewire.org -p 2223
YZ55XPVk2l
Debug the script at assembly level using gdb
gdb --args leviathan6 0000
View every assembly level instruction in the script.
disassemble main
Set a breakpoint
break *0x0804922a
Run the program
run
See what values are contained within the registers
info registers
Make the comparison like the command would and check the output
print $ebp-0xc
x 0xffffd4cc
print/d 0x00001bd3
7123
Level 7 - Analyze file for SUID binaries
ssh leviathan7@leviathan.labs.overthewire.org -p 2223
Incredible.
8GpZ5f8Hze