welcome back to my walk-through blogpost. Today, we are going to solve Leviathan challenge at Overthewire. I would recommend that platform so that as to learn some new privilege techniques and understand the hacking flow.
To start off with this level, the credential is given below:
And, in order to establish a connection between us and the server it will be enough to type:
$ ssh email@example.com -p 2223
As you can see above, we are seeing “.backup” directory and inside this directory, we see an “.html” file. We are able to think that the password can be stored in this “html” file, lets give a try.
I am going to use; “cat bookmarks.html | grep -i ‘password’ ”
Yes!! it works. The password had been stored inside “.html file” we can move forward to the next level.
After logging in to the next level we should be able to see a file called “checked” setuid ELF 32-bit LSB executable. Now we can run this and let see what it does
It seems weird because I am waiting for a wile but nothing happened. I will be able to try “ltrace” command, some people might not know what this command does
ltrace is a program that simply runs the specified command until it exits
I want to be able to see inside this code what kind of piece code it has.
That is awesome. We have “strcmp()” it just compares the string whether inputted the string correct or not.
I was also going to use “gdb” to disassemble the main function.
Password found ! → “sex”
Do not forget all the passwords are stored at this location → /etc/leviathan_pass
On this level the first thing that we should notice is that we are given another file, which has higher permissions than what we currently have. Create a working directory in the “/tmp” folder using “mkdir” command.
This level is very interesting in my honest opinion.
I am able to view “/etc/passwd” but, i am unable to view → /etc/leviathan_pass/leviathan3!!?
I was trying to investigate this methodology further..
“ltrace” command will be a good option.
I am going to create a directory with a normal .txt file
it seems it has something to do with access() and snprintf()
access()function shall check the file named by the pathname pointed to by the path argument for accessibility according to the bit pattern contained in amode, using the real user ID in place of the effective user ID and the real group ID in place of the effective group ID.
snprintf()function redirects the output of the standard
printf()function to a buffer.
Oke this can be confusing because after calling “~/printfile test.tx” command i recognized that my “test.txt” was gone!
Are you able to see something suspicious by “snprintf()” we have “/bin/cat” thus that means, if i create a file called “test.txt” we might be able to link this symbolic to be exploited.
We will be using “ln” command but is this command?
ln is a command-line utility for creating links between files. By default, the
ln command creates hard links. To create a symbolic link, use the
source : https://linuxize.com/post/how-to-create-symbolic-links-in-linux-using-the-ln-command/
I made a ‘tmp’ directory and within that directory “exploit.txt” is being created
I was trying to investigate this process while running it.
There is a huge security flaw. We are able to break this security flaw /bin/cat calls “pass hack.txt” as two separate files, “pass” and “hack.txt”.
And boom g0t the password!!,
I found this level much easier than previous one. You should use your C knowledge to being able to move further to the next level.
- You should be able to see “level3” ELF file
- I was going to run this file with “ltrace” ./level3
- This file has checked my password string and by the comparison, was being exited
- After putting the password, strcmp() compares two strings and found the password “snlprintf” for level3 file.
- When you got your shell type “cat etc/leviathan_pass/leviathan4” to get the password for the next level.
After logging in you should be able to see “bin” ELF file
Run this and convert this from binary to text
And get your password!!
So far we got some easy challenges but let see what level 5 will provide to us.
After logging to level 5, we will be able to see:
- This is our challenge file called “leviathan5”
- As you did before, we are going to use “ltrace” command to see behaviour of this code!
- hmm fopen() seems interesting
fopen(): The C library function FILE *fopen(const char *filename, const char *mode) opens the filename pointed to, by filename using the given mode.
source : https://www.tutorialspoint.com/c_standard_library/c_function_fopen.html
for more information you can look at that site
4. Let’s go ahead and create a symlink to /etc/leviathan_pass/levithan6 and link it to /tmp/file.log. It should be working lets give a try!!
And boom we have the password for the next level.
After logging into level 6; You will be able to see a file called “leviathan6”
- I firstly did “ls -la” to see all files into this directory
- I saw immediately that it has a permission of leviathan7
- When ı ran this file, it asked me 4 digit code
- I put 1111 but it was not correct. So i decided to brute force this file
lets run this.
5. After a while of brute force. I got access over leviathan7
Now lets use this password and be further to the next level
So we are done with this challenge :))
First of all, thanks for reading this blog. If you are interested in such things, please follow me and subscribe… and share with your friends.
Ahmet Göker | Exploit researcher | malware Researcher| Cryptanalyst | CTF player | Reverse Engineering
You can follow me on: