rtmoran.org — Cybersecurity and Linux Resource

CategoryOverTheWire – Leviathan

Exploit common Linux scripting vulnerabilities with OverTheWire’s Leviathan series. A great starting point for Linux privilege escalation.

OverTheWire Leviathan – Level 2

When listing leviathan2‘s user directory we again find an ELF 32-bit executable, printfile, with the SETUID bit set.

ltrace output:

leviathan2@leviathan:~$ ltrace ./printfile '/etc/leviathan_pass/leviathan2'
 __libc_start_main(0x804852b, 2, 0xffffd764, 0x8048610 
 access("/etc/leviathan_pass/leviathan2", 4)      = 0
 snprintf("/bin/cat /etc/leviathan_pass/lev"…, 511, "/bin/cat %s", "/etc/leviathan_pass/leviathan2") = 39
 geteuid()                                        = 12002
 geteuid()                                        = 12002
 setreuid(12002, 12002)                           = 0
 system("/bin/cat /etc/leviathan_pass/lev"…ougahZi8Ta
  
 --- SIGCHLD (Child exited) ---
 <… system resumed> )                           = 0
 +++ exited (status 0) +++
Continue reading “OverTheWire Leviathan – Level 2”

OverTheWire Leviathan – Level 1

Listing the directory of user leviathan1 reveals a ELF 32-bit executable with it’s SETUID bit set.

leviathan1@leviathan:~$ ls -la
 total 28
 drwxr-xr-x  2 root       root       4096 Oct 29  2018 .
 drwxr-xr-x 10 root       root       4096 Oct 29  2018 ..
 -rw-r--r--  1 root       root        220 May 15  2017 .bash_logout
 -rw-r--r--  1 root       root       3526 May 15  2017 .bashrc
 -r-sr-x---  1 leviathan2 leviathan1 7452 Oct 29  2018 check
 -rw-r--r--  1 root       root        675 May 15  2017 .profile
 leviathan1@leviathan:~$ file check
 check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c735f6f3a3a94adcad8407cc0fda40496fd765dd, not stripped
Continue reading “OverTheWire Leviathan – Level 1”