Hi all, let’s pwn it!
You can find the challenge there > OverTheWire Leviathan
Level 0
Let’s connect first to the server, default creds for level 0 are leviathan0:leviathan0
:
1 |
|
We can see a hidden .backup
directory:
1 |
|
There is a bookmarks.html file in it, probably password is in it.
1 |
|
File has lot of contents, i’ll use linux filtering to grab just the password:
1 |
|
1 |
|
If you have no idea what cut
command does, i suggest you to study about it.
My pwntools exploit (add 2 backslashes between the space delimiter):
1 |
|
1 |
|
Level 1
Let’s connect now to the next level:
1 |
|
We have to deal with a 32bit binary:
1 |
|
Let’s execute it to see what is does:
1 |
|
Needs a password, if the password is true i guess will give us a shell as leviathan2. Let’s do some basic RE on it with ltrace (ltrace = intercepts library calls):
1 |
|
It uses the strcmp
function. strcmp
compares two strings, so here it compares our input with string sex
. So sex
is the password:
1 |
|
We can find the password under /etc/leviathan_pass/leviathan2
:
1 |
|
My pwntools exploit:
1 |
|
1 |
|
Level 2
Let’s connect to level 2:
1 |
|
We can see an ELF file again:
1 |
|
Let’s see what it does:
1 |
|
It prints the contents of a file, cool let’s try to print the flag for level3:
1 |
|
Yeap, we cant read this flag. Let’s do some basic RE with ltrace again.
1 |
|
It uses system()
function with cat command -> cat + our input
, we have to trick the binary. File is SUID that means we can run the binary as user leviathan3
, let’s make a random name file & add ;bash -p
. -p
allows the shell to run with SUID privileges.
1 |
|
The password for next level:
1 |
|
My pwntools exploit (you may need to run the exploit multiple times!):
1 |
|
1 |
|
Level 3
Let’s connect to level 3:
1 |
|
We have to deal with a binary again:
1 |
|
Let’s run it:
1 |
|
Needs a password, let’s fire up ltrace.
1 |
|
Compares our input with string snlprintf
tricky, let’s input that and grab a shell as leviathan4.
1 |
|
Password for next level:
1 |
|
My pwntools exploit:
1 |
|
1 |
|
Level 4
Let’s connect to level 4:
1 |
|
We can see a hidden .trash
directory with a binary file in it:
1 |
|
Let’s run the binary.
1 |
|
Gives us some binary data, let’s convert them to ascii:
1 |
|
That’s the password for leviathan5.
My pwntools exploit:
1 |
|
1 |
|
Level 5
Let’s connect to level 5:
1 |
|
We can see a binary:
1 |
|
Let’s execute it:
1 |
|
It reads the /tmp/file.log
let’s create and execute it.
1 |
|
Does nothing, here we will do a trick. We will create a symbolic link (a file that points to another file).
1 |
|
My pwntools exploit:
1 |
|
1 |
|
Level 6
Let’s connect to level 6:
1 |
|
We can see a binary:
1 |
|
Let’s execute it:
1 |
|
Need a 4digits code, so 0000-9999. I coded a simple bash one-liner to do brute force.
1 |
|
After some minutes:
1 |
|
Was fun! :)