Previous Level: Level 1
ssh email@example.com -p 2223
rioGegei8m (outdated - should be gathered through previous level)
A little bit of Theory
ltrace is used to see what library calls are made during binary execution. Library calls are, when a program calls a function from a file that is shared by multiple programs. So, for example, checking if the input is the correct password can be done with a library function. It will show the function and its input parameters - which then include the password. Such a function to compare strings is
Same start as before, ssh into the machine and check out the home directory:
This time the ‘check’ file, which is an executable, looks promising since it belongs to user leviathan2. Also, we have ‘read’ and ’execute’ permissions and it has the SUID bit set. So let’s see what it does.
So it seems to check if we type in the correct password for the leviathan2 user. Now, depending on how the password is checked, we might find the password as a string in the binary. So let’s use this command:
This gives back all strings in the binary. There are some suspicious-looking strings, however, nothing concrete that I would try. So instead, we can try
So I just chose a random password and it seems that ‘strcmp’ was in fact called:
strcmp("tes", "sex"), the first three letters were compared to the password. So the password seems to be
sex. Let’s check if that is correct by running the binary again.
This seems to work and give us a shell in which we are user ’leviathan2’, because it was a SUID binary.
This means we can now look for the actual password for the ’leviathan2’ user. Based on the description on the website, all passwords are stored under ’etc/leviathan_pass’.
Next Level: Level 3