Leviathan — OverTheWire Wargame — Writeup

Leviathan — dare you face the lord of the oceans?
ssh leviathan0@leviathan.labs.overthewire.org -p 2223
Finding out which directory we are in (pwd) and looking at what’s in the directory (ls -la)
Exploring the hidden directory called ‘backup’
The ‘-i’ flag tells grep to perform a case-insensitive search
ssh leviathan1@leviathan.labs.overthewire.org -p 2223
Contents of leviathan1’s home directory
Running ‘check’, being asked for a password and trying ‘password_attempt’
Snippet of the output after running ‘strings check’ — notice the C functions
The important output from ‘ltrace ./check’
We get dropped into a shell with the user ID of leviathan2, allowing us to read leviathan2’s password
As usual, listing the contents of the directory and running the executable (printfile) to see its behaviour
As expected, printfile does appear to be similar to ‘cat’
-r-sr-x---  1 leviathan3 leviathan2 7436 Aug 26  2019 printfile
Output of ltrace with files that we can and cannot read with printfile
access() man page
file_to_check = arg[1]
if access(file_to_check): # if access() returns 0, continue
continue
else: # if access() returns anything other than 0, exit
exit
Done!
An easier road to level 4
nums = open('nums.txt','r').read().split()
for i in range(len(nums)):
nums[i] = chr(int(nums[i],2))
password = ""
print(password.join(nums))
Getting the password for leviathan6 using a symbolic link
for i in {0..10000}; do echo "trying $i"; ./leviathan6 $i | grep -v "Wrong"; sleep 0.005; done
The script stops at 7123, which is the passcode. Using it drops us into a shell as leviathan7
Leviathan? Completed it mate…

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
hrbrtschmu1l

hrbrtschmu1l

Detailed posts about offensive security