rtmoran.org — Cybersecurity and Linux Resource

Tagoverthewire

OverTheWire Leviathan – Level 2

When listing leviathan2‘s user directory we again find an ELF 32-bit executable, printfile, with the SETUID bit set.

ltrace output:

leviathan2@leviathan:~$ ltrace ./printfile '/etc/leviathan_pass/leviathan2'
 __libc_start_main(0x804852b, 2, 0xffffd764, 0x8048610 
 access("/etc/leviathan_pass/leviathan2", 4)      = 0
 snprintf("/bin/cat /etc/leviathan_pass/lev"…, 511, "/bin/cat %s", "/etc/leviathan_pass/leviathan2") = 39
 geteuid()                                        = 12002
 geteuid()                                        = 12002
 setreuid(12002, 12002)                           = 0
 system("/bin/cat /etc/leviathan_pass/lev"…ougahZi8Ta
  
 --- SIGCHLD (Child exited) ---
 <… system resumed> )                           = 0
 +++ exited (status 0) +++
Continue reading “OverTheWire Leviathan – Level 2”

OverTheWire Leviathan – Level 1

Listing the directory of user leviathan1 reveals a ELF 32-bit executable with it’s SETUID bit set.

leviathan1@leviathan:~$ ls -la
 total 28
 drwxr-xr-x  2 root       root       4096 Oct 29  2018 .
 drwxr-xr-x 10 root       root       4096 Oct 29  2018 ..
 -rw-r--r--  1 root       root        220 May 15  2017 .bash_logout
 -rw-r--r--  1 root       root       3526 May 15  2017 .bashrc
 -r-sr-x---  1 leviathan2 leviathan1 7452 Oct 29  2018 check
 -rw-r--r--  1 root       root        675 May 15  2017 .profile
 leviathan1@leviathan:~$ file check
 check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c735f6f3a3a94adcad8407cc0fda40496fd765dd, not stripped
Continue reading “OverTheWire Leviathan – Level 1”

Over the Wire’s Bandit Challenge – Level 20

Level 20 – bandit – overthewire

Level Instructions:

“There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think”

Continue reading “Over the Wire’s Bandit Challenge – Level 20”

Over the Wire’s Bandit Challenge – Level 19

Level 19 – bandit – overthewire

Level Instructions:

“To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.”


bandit19@bandit:~$ ls -la
total 28
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rwsr-x---  1 bandit20 bandit19 7408 Dec 28  2017 bandit20-do
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
bandit19@bandit:~$ cat /etc/bandit_pass/bandit20
cat: /etc/bandit_pass/bandit20: Permission denied
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Printing the contents of the home directory reveals an executable, ‘bandit20-do’, with setuid flag set.  Running the command without passing an argument reveals a bit of information into the programs function.

Continue reading “Over the Wire’s Bandit Challenge – Level 19”

Over the Wire’s Bandit Challenge – Level 18

Level 18 – bandit – overthewire

Level Instructions:

“The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.”


bandit17@bandit:~$ ssh bandit18@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
...
...
...
Byebye !
Connection to localhost closed.
bandit17@bandit:~$ ssh bandit18@localhost cat readme
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
...
...
...
bandit18@localhost's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

As hinted in the instructions for level 17 upon logging into bandit18 we receive a ‘Byebye !’ message right before our connection is automatically terminated.

Since we know that the password resides in a readme file within the home directory, we can append ‘cat readme’ to our connection command to print the contents of that file before our connection is terminated.