Leviathan(Overthewire) walkthrough

Ahmet Göker
6 min readJul 21, 2022

--

Hey hackers,

welcome back to my walk-through blogpost. Today, we are going to solve Leviathan challenge at Overthewire. I would recommend that platform so that as to learn some new privilege techniques and understand the hacking flow.

Level 0

To start off with this level, the credential is given below:

Username: leviathan0
Password: leviathan0

And, in order to establish a connection between us and the server it will be enough to type:

$ ssh leviathan0@leviathan.labs.overthewire.org -p 2223

As you can see above, we are seeing “.backup” directory and inside this directory, we see an “.html” file. We are able to think that the password can be stored in this “html” file, lets give a try.

I am going to use; “cat bookmarks.html | grep -i ‘password’ ”

Yes!! it works. The password had been stored inside “.html file” we can move forward to the next level.

Level 1

After logging in to the next level we should be able to see a file called “checked” setuid ELF 32-bit LSB executable. Now we can run this and let see what it does

It seems weird because I am waiting for a wile but nothing happened. I will be able to try “ltrace” command, some people might not know what this command does

ltrace is a program that simply runs the specified command until it exits

I want to be able to see inside this code what kind of piece code it has.

That is awesome. We have “strcmp()” it just compares the string whether inputted the string correct or not.

I was also going to use “gdb” to disassemble the main function.

Password found ! → “sex”

Do not forget all the passwords are stored at this location → /etc/leviathan_pass

level 2

On this level the first thing that we should notice is that we are given another file, which has higher permissions than what we currently have. Create a working directory in the “/tmp” folder using “mkdir” command.

This level is very interesting in my honest opinion.

I am able to view “/etc/passwd” but, i am unable to view → /etc/leviathan_pass/leviathan3!!?

I was trying to investigate this methodology further..

“ltrace” command will be a good option.

I am going to create a directory with a normal .txt file

it seems it has something to do with access() and snprintf()

access(): The access()function shall check the file named by the pathname pointed to by the path argument for accessibility according to the bit pattern contained in amode, using the real user ID in place of the effective user ID and the real group ID in place of the effective group ID.

snprintf(): The snprintf() function redirects the output of the standard printf() function to a buffer.

source: https://pubs.opengroup.org/onlinepubs/009695299/functions/access.html

Oke this can be confusing because after calling “~/printfile test.tx” command i recognized that my “test.txt” was gone!

Are you able to see something suspicious by “snprintf()” we have “/bin/cat” thus that means, if i create a file called “test.txt” we might be able to link this symbolic to be exploited.

We will be using “ln” command but is this command?

ln is a command-line utility for creating links between files. By default, the ln command creates hard links. To create a symbolic link, use the -s (--symbolic) option.

source : https://linuxize.com/post/how-to-create-symbolic-links-in-linux-using-the-ln-command/

I made a ‘tmp’ directory and within that directory “exploit.txt” is being created

I was trying to investigate this process while running it.

There is a huge security flaw. We are able to break this security flaw /bin/cat calls “pass hack.txt” as two separate files, “pass” and “hack.txt”.

And boom g0t the password!!,

level 3

I found this level much easier than previous one. You should use your C knowledge to being able to move further to the next level.

  1. You should be able to see “level3” ELF file
  2. I was going to run this file with “ltrace” ./level3
  3. This file has checked my password string and by the comparison, was being exited
  4. After putting the password, strcmp() compares two strings and found the password “snlprintf” for level3 file.
  5. When you got your shell type “cat etc/leviathan_pass/leviathan4” to get the password for the next level.

level 4

After logging in you should be able to see “bin” ELF file

Run this and convert this from binary to text

easy one!!

site: https://www.rapidtables.com/convert/number/binary-to-ascii.html

And get your password!!

Level 5

So far we got some easy challenges but let see what level 5 will provide to us.

After logging to level 5, we will be able to see:

  1. This is our challenge file called “leviathan5”
  2. As you did before, we are going to use “ltrace” command to see behaviour of this code!
  3. hmm fopen() seems interesting

fopen(): The C library function FILE *fopen(const char *filename, const char *mode) opens the filename pointed to, by filename using the given mode.

source : https://www.tutorialspoint.com/c_standard_library/c_function_fopen.html

for more information you can look at that site

4. Let’s go ahead and create a symlink to /etc/leviathan_pass/levithan6 and link it to /tmp/file.log. It should be working lets give a try!!

And boom we have the password for the next level.

Level 6

After logging into level 6; You will be able to see a file called “leviathan6”

  1. I firstly did “ls -la” to see all files into this directory
  2. I saw immediately that it has a permission of leviathan7
  3. When ı ran this file, it asked me 4 digit code
  4. I put 1111 but it was not correct. So i decided to brute force this file

lets run this.

5. After a while of brute force. I got access over leviathan7

Now lets use this password and be further to the next level

level 7

So we are done with this challenge :))

Summary

First of all, thanks for reading this blog. If you are interested in such things, please follow me and subscribe… and share with your friends.

Ahmet Göker | Exploit researcher | malware Researcher| Cryptanalyst | CTF player | Reverse Engineering

You can follow me on:

Linkedin: https://www.linkedin.com/in/ahmetg%C3%B6ker/

Twitter: https://twitter.com/TurkishHoodie_

Youtube: https://www.youtube.com/c/TurkishHoodie

Github: https://github.com/DarkGhost010

https://wallpapercave.com/w/wp4391044

--

--