leviathan6 prompts the user for a 4-digit password. Reviewing the executable with
strings produces nothing obvious, so let’s move on to the next most obvious step — brute-forcing.
There’re plenty of different ways to write up a script to brute-force
Continue reading “OverTheWire Leviathan – Level 6”
leviathan6‘s 4-digit password. For this instance, I’m just going to use a for-loop.
ltrace against SUID ELF .
leviathan5@leviathan:~$ ltrace ./leviathan5
__libc_start_main(0x80485db, 1, 0xffffd784, 0x80486a0
fopen("/tmp/file.log", "r") = 0
puts("Cannot find /tmp/file.log"Cannot find /tmp/file.log
) = 26
+++ exited (status 255) +++
Continue reading “OverTheWire Leviathan – Level 5”
Executing the 32-bit ELF executable,
Continue reading “OverTheWire Leviathan – Level 4”
bin, found in directory ./
leviathan4‘s user directory, returns a string of binary characters. There are plenty of tools that can be used to translate the binary text to ascii characters, and in this instance I used Perl.
Again, by reviewing the dynamic library calls of the SETUID ELF,
Continue reading “OverTheWire Leviathan – Level 3”
level3, found within user
leviathan3‘s home directory, we can observe another
strcmp() call comparing the inputted password to the accepted value.
leviathan2‘s user directory we again find an ELF 32-bit executable,
printfile, with the SETUID bit set.
leviathan2@leviathan:~$ ltrace ./printfile '/etc/leviathan_pass/leviathan2'
__libc_start_main(0x804852b, 2, 0xffffd764, 0x8048610
access("/etc/leviathan_pass/leviathan2", 4) = 0
snprintf("/bin/cat /etc/leviathan_pass/lev"…, 511, "/bin/cat %s", "/etc/leviathan_pass/leviathan2") = 39
geteuid() = 12002
geteuid() = 12002
setreuid(12002, 12002) = 0
--- SIGCHLD (Child exited) ---
<… system resumed> ) = 0
+++ exited (status 0) +++
Continue reading “OverTheWire Leviathan – Level 2”
Listing the directory of user
leviathan1 reveals a ELF 32-bit executable with it’s SETUID bit set.
leviathan1@leviathan:~$ ls -la
drwxr-xr-x 2 root root 4096 Oct 29 2018 .
drwxr-xr-x 10 root root 4096 Oct 29 2018 ..
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
-r-sr-x--- 1 leviathan2 leviathan1 7452 Oct 29 2018 check
-rw-r--r-- 1 root root 675 May 15 2017 .profile
leviathan1@leviathan:~$ file check
check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c735f6f3a3a94adcad8407cc0fda40496fd765dd, not stripped
Continue reading “OverTheWire Leviathan – Level 1”
leviathan0‘s user directory reveals a hidden directory
.backup. Within the
.backup/ directory reveals the html file,
Seeing as we are looking for the password for user
leviathan1, let’s attempt to grep the
bookmarks.html file for a password.
grep password bookmarks.html
Continue reading “OverTheWire Leviathan – Level 0”
What is port knocking? Port knocking is a method of securing external facing services – explicitly blocked by firewall rules – by enabling firewall access only in the event that a correct sequence of connection attempts to random predetermined ports is attempted. Upon receipt of a correct sequence of connection attempts, the firewall rules are modified on the requested server, temporarily enabling access to the service for the requesting client.
The popular port knocking tool, Knockd, allows users to customize a variety of options to tweak their Knockd deployment. A user might customize the length of the port knocking sequence, the ports specified, the protocol (TCP/UDP), the packet’s flag type(s) (syn, ack, fin…), timeout period, and even an alternate sequence of ports to close the connection.
Before we jump into defining the steps needed to install a Knockd instance, let’s see it in action…
Preliminary Nmap Scan
To start, I have a CentOS machine on my local network (IP – 192.168.1.14) with an SSH server configured and enabled on port 22. Knockd has been enabled and a firewall rule has been configured to block all incoming traffic destined for port 22 (ssh).
Continue reading “Port Knocking & Knockd Configuration”
I wanted to follow up a previous post, where I described the process of configuring a CentOS router for the intention of creating a separate, internal LAN. There we simply deployed a router to separate an external WAN from our LAN and configured the router to pass along all traffic between the two interfaces.
This time I wanted to deploy a router for the purpose of serving content from an internal web server, to an external LAN or WAN.
While this is something that I used recently for a local hackathon, I believe it has greater “real world” application, and can be modified only slightly to accommodate the deployment of other services or applications.
Continue reading “CentOS Router Configuration for a Web Server”
In preparation for an upcoming hackathon, I began working with CentOS as a means to route traffic between two VMware machines: a ParrotOS machine, and a Metasploitable2 machine – both configured on different subnets.
For this tutorial I used the following:
- VMware Workstation 15
- CentOS (Minimal Installation)
CentOS Router Configuration
First, let’s configure the CentOS router to forward traffic between the ParrotOS machine (residing on network 192.168.10.0) and the Metasploitable2 machine (residing on network 192.168.20.0).
Continue reading “CentOS Router: Configuration in Vmware”