MayADevBe Blog

A Blog about Computer Science

Leviathan Level 3 -> 4 - OverTheWire Walkthrough

Previous Level: Level 3

Login

SSH: ssh leviathan3@leviathan.labs.overthewire.org -p 2223

Password: Ahdiemoo1j (outdated - should be gathered through previous level)

A little bit of Theory

Nothing new. Theory from Level 2.

Solution

We start the same way as always, by looking at the home directory. We find a SUID binary called ’level3’ that asks for a password.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
leviathan3@leviathan:~$ ls -la
total 32
drwxr-xr-x  2 root       root        4096 Aug 26  2019 .
drwxr-xr-x 10 root       root        4096 Aug 26  2019 ..
-rw-r--r--  1 root       root         220 May 15  2017 .bash_logout
-rw-r--r--  1 root       root        3526 May 15  2017 .bashrc
-r-sr-x---  1 leviathan4 leviathan3 10288 Aug 26  2019 level3
-rw-r--r--  1 root       root         675 May 15  2017 .profile
leviathan3@leviathan:~$ ./level3 
Enter the password> Ahdiemoo1j
bzzzzzzzzap. WRONG

We can start analysing the binary the same way as we have done in previous levels. So let’s try ltrace again:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
leviathan3@leviathan:~$ ltrace ./level3 
__libc_start_main(0x8048618, 1, 0xffffd784, 0x80486d0 <unfinished ...>
strcmp("h0no33", "kakaka")                                             = -1
printf("Enter the password> ")                                         = 20
fgets(Enter the password> test
"test\n", 256, 0xf7fc55a0)                                       = 0xffffd590
strcmp("test\n", "snlprintf\n")                                        = 1
puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
)                                             = 19
+++ exited (status 0) +++
leviathan3@leviathan:~$ ./level3 
Enter the password> snlprintf
[You've got shell]!
$ whoami
leviathan4

Like in a previous Level, we can see that the binary uses ‘strcmp’, a library function, to compare our input with the correct password. Running the binary with the password ‘snlprintf’ gives us a shell as ’leviathan4’. So now we just need to read the password file.

1
2
$ cat /etc/leviathan_pass/leviathan4
vuH0coox6m

https://overthewire.org/wargames/leviathan/leviathan4.html


Next Level: Level 5


Share on: