• overthewire
    OverTheWire - Leviathan

    OverTheWire Leviathan – Level 6

    Executable leviathan6 prompts the user for a 4-digit password. Reviewing the executable with ltrace, strace, and strings produces nothing obvious, so let’s move on to the next most obvious step — brute-forcing. There’re plenty of different ways to write up a script to brute-force leviathan6‘s 4-digit password. For this instance, I’m just going to use a for-loop.

  • overthewire
    OverTheWire - Leviathan,  Tutorials

    OverTheWire Leviathan – Level 2

    When listing leviathan2‘s user directory we again find an ELF 32-bit executable, printfile, with the SETUID bit set. ltrace output: leviathan2@leviathan:~$ ltrace ./printfile '/etc/leviathan_pass/leviathan2' __libc_start_main(0x804852b, 2, 0xffffd764, 0x8048610 access("/etc/leviathan_pass/leviathan2", 4) = 0 snprintf("/bin/cat /etc/leviathan_pass/lev"…, 511, "/bin/cat %s", "/etc/leviathan_pass/leviathan2") = 39 geteuid() = 12002 geteuid() = 12002 setreuid(12002, 12002) = 0 system("/bin/cat /etc/leviathan_pass/lev"…ougahZi8Ta --- SIGCHLD (Child exited) --- <… system resumed> ) = 0 +++ exited (status 0) +++

  • overthewire
    OverTheWire - Leviathan,  Tutorials

    OverTheWire Leviathan – Level 1

    Listing the directory of user leviathan1 reveals a ELF 32-bit executable with it’s SETUID bit set. leviathan1@leviathan:~$ ls -la total 28 drwxr-xr-x 2 root root 4096 Oct 29 2018 . drwxr-xr-x 10 root root 4096 Oct 29 2018 .. -rw-r--r-- 1 root root 220 May 15 2017 .bash_logout -rw-r--r-- 1 root root 3526 May 15 2017 .bashrc -r-sr-x--- 1 leviathan2 leviathan1 7452 Oct 29 2018 check -rw-r--r-- 1 root root 675 May 15 2017 .profile leviathan1@leviathan:~$ file check check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c735f6f3a3a94adcad8407cc0fda40496fd765dd, not stripped