Overthewire.org - Leviathan

Write-Up

Posted on July 25, 2016 as Overthewire. 7 minutes read.

Introduction

Today we're gonna give a try Leviathan wargame which requires some common sense and a little bit of knowledge about Unix commands.

Let's get started!

0 –> 1

First thing is to login into the leviathan0 account using SSH. Then we're gonna take a look at home directory using ls -la command.

[email protected]:~$ ls -la
total 24
drwxr-xr-x   3 root       root       4096 Nov 14  2014 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
drwxr-x---   2 leviathan1 leviathan0 4096 May 15 02:15 .backup
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile

Rresults show us an hidden backup folder, containing a file called bookmarks.html.

[email protected]:~$ cd .backup
[email protected]:~/.backup$ ls -la
total 140
drwxr-x--- 2 leviathan1 leviathan0   4096 May 15 02:15 .
drwxr-xr-x 3 root       root         4096 Nov 14  2014 ..
-rw-r----- 1 leviathan1 leviathan0 133259 Nov 14  2014 bookmarks.html

Searching the file manually will probably take us years so why not to grep string with a word password?

[email protected]:~/.backup$ cat bookmarks.html | grep password

<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is *******" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>

1 –> 2

Once again let's view the files in the main directory, but now we have a file called check.

[email protected]:~$ ls -la
total 28
drwxr-xr-x   2 root       root       4096 Nov 14  2014 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan2 leviathan1 7493 Nov 14  2014 check

After running, it asks us for a password, maybe running ltrace will find anything useful.

[email protected]:~$ ./check
password: password
Wrong password, Good Bye ...
[email protected]:~$ ltrace ./check
__libc_start_main(0x804852d, 1, 0xffffd7a4, 0x80485f0 <unfinished ...>
printf("password: ")                                                                                    = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642password: password
)                                                            = 112
getchar(0x8048680, 47, 0x804a000, 0x8048642)                                                            = 97
getchar(0x8048680, 47, 0x804a000, 0x8048642)                                                            = 115
strcmp("pas", "sex")                                                                                    = -1
puts("Wrong password, Good Bye" ...Wrong password, Good Bye ...
)                                                                    = 29
+++ exited (status 0) +++

Yeah, it's comparing our password with 'sex' using strcmp function, so 'sex' is desired password.

[email protected]:~$ ./check
password: sex
$ cat /etc/leviathan_pass/leviathan2
*******

After entering pass correctly, we are given a shell where we can view the password for the next level.

2 –> 3

We are given a printfile file, which usage is printing files (obviously :D). We can try, and check a simple trick.

[email protected]:~$ ls -la
total 28
drwxr-xr-x   2 root       root       4096 Nov 14  2014 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan3 leviathan2 7498 Nov 14  2014 printfile

[email protected]:~$ ./printfile
*** File Printer ***
Usage: ./printfile filename
[email protected]:~$ ./printfile /etc/leviathan_pass/leviathan3
You cant have that file...

:(

Now we have to try something different. Firstly create a directory in /tmp.Next step will be creating 2 files: first called pass which is symbolic link to our password file and then file called pass qwer, you can name them however you want but the trick is that second file needs to have first file name in the first half of the second one like this.

[email protected]:~$ mkdir /tmp/w3nditor
[email protected]:~$ cd /tmp/w3nditor
[email protected]:/tmp/w3nditor$ ln -s /etc/leviathan_pass/leviathan3 ./pass
[email protected]:/tmp/w3nditor$ touch pass\ qwer

Then we can use our printfile on previously created pass qwer. What the trick does, is that it firstly allows us to access because the pass qwer exists and then cat command treats them as two seperate files so we can view the password through previously created symbolic link.

[email protected]:~$ ./printfile /tmp/w3nditor/pass\ qwer
*******
/bin/cat: qwer: No such file or directory

3 –> 4

In this one, we get file called level3 that after executing asks us for a password.

[email protected]:~$ ls -la
total 32
drwxr-xr-x   2 root       root       4096 Mar 21  2015 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan4 leviathan3 9962 Mar 21  2015 level3
[email protected]:~$ ./level3
Enter the password> password
bzzzzzzzzap. WRONG

Let’s once again use ltrace to check for anything useful.

[email protected]:~$ ltrace ./level3
__libc_start_main(0x80485fe, 1, 0xffffd7a4, 0x80486d0 <unfinished ...>
strcmp("h0no33", "kakaka")                       = -1
printf("Enter the password> ")                   = 20
fgets(Enter the password> password
"password\n", 256, 0xf7fc9c20)             = 0xffffd59c
strcmp("password\n", "snlprintf\n")              = -1
puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
)                       = 19
+++ exited (status 0) +++

In this level, it uses strcmp between our string and ‘snlprintf’.

[email protected]:~$ ./level3
Enter the password> snlprintf
[You've got shell]!
$ cat /etc/leviathan_pass/leviathan4
*******

And it works perfectly!

4 –> 5

[email protected]:~$ ls -la
total 24
drwxr-xr-x   3 root root       4096 Nov 14  2014 .
drwxr-xr-x 172 root root       4096 Jul 10 14:12 ..
-rw-r--r--   1 root root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root root        675 Apr  9  2014 .profile
dr-xr-x---   2 root leviathan4 4096 Nov 14  2014 .trash
[email protected]:~$ cd .trash
[email protected]:~/.trash$ ls -la
total 16
dr-xr-x--- 2 root       leviathan4 4096 Nov 14  2014 .
drwxr-xr-x 3 root       root       4096 Nov 14  2014 ..
-r-sr-x--- 1 leviathan5 leviathan4 7425 Nov 14  2014 bin
[email protected]:~/.trash$ ./bin
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010

From this one, we get a binary string which after converting to ASCII gives: ******* – password for next level.

5 –> 6

Now we get a file that is somehow looking for /tmp/file.log

[email protected]:~$ ls -la
total 28
drwxr-xr-x   2 root       root       4096 Nov 14  2014 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan6 leviathan5 7634 Nov 14  2014 leviathan5
[email protected]:~$ ./leviathan5
Cannot find /tmp/file.log

Creating link in /tmp/file.log to leviathan pass let’s us see a password.

[email protected]:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
[email protected]:~$ ./leviathan5
*******

6 –> 7

This time we’ve got executable which asks for a 4 digit code.

[email protected]:~$ ls -la
total 28
drwxr-xr-x   2 root       root       4096 Nov 14  2014 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan7 leviathan6 7484 Nov 14  2014 leviathan6
[email protected]:~$ ./leviathan6
usage: ./leviathan6 <4 digit code>
[email protected]:~$ ./leviathan6 1111
Wrong

Only way to get access will be brute forcing the pass code. We can use any programming language but this time I’ll try to write simple bash script.

[email protected]:~$ for i in {0000..9999}; do ./leviathan6 $i; echo $i; done

Wrong
7119
Wrong
7120
Wrong
7121
Wrong
7122
$ cat /etc/leviathan_pass/leviathan7
*******
$

And here we go! We’ve got the password!

Thanks for the challenge! Hope you enjoyed solving this problems as much as I had.

Keep learning and stay safe!

~ W3ndige