Leviathan 1 to 2
Leviathan 1 to 2
login
ssh leviathan1@leviathan.labs.overthewire.org -p 2223
password : 3QJ3TgzHDq
now use ls to look for the files
leviathan1@leviathan:~$ ls
check
leviathan1@leviathan:~$ file check
check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=990fa9b7d511205601669835610d587780d0195e, for GNU/Linux 3.2.0, not stripped
we also used file check to find out the type of file it is, we found out its elf 32 bit lsb executable
leviathan1@leviathan:~$ strings check | grep leviathan
leviathan1@leviathan:~$ strings check
td8
/lib/ld-linux.so.2
_IO_stdin_used
puts
__stack_chk_fail
system
getchar
__libc_start_main
printf
setreuid
strcmp
geteuid
libc.so.6
GLIBC_2.4
GLIBC_2.34
GLIBC_2.0
__gmon_start__
secr
love
password:
/bin/sh
Wrong password, Good Bye ...
;*2$"0
GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
crt1.o
__abi_tag
__wrap_main
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
check.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
strcmp@GLIBC_2.0
__libc_start_main@GLIBC_2.34
__x86.get_pc_thunk.bx
printf@GLIBC_2.0
getchar@GLIBC_2.0
_edata
_fini
__stack_chk_fail@GLIBC_2.4
geteuid@GLIBC_2.0
__data_start
puts@GLIBC_2.0
system@GLIBC_2.0
__gmon_start__
__dso_handle
_IO_stdin_used
setreuid@GLIBC_2.0
_end
_dl_relocate_static_pie
_fp_hw
__bss_start
__TMC_END__
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got
.got.plt
.data
.bss
.comment
tried piping the output of strings check into grep leviathan but didnt got anything ... then did string check only without piping ... look there carefully
love
password:
/bin/sh
Wrong password, Good Bye ...
run the file
leviathan1@leviathan:~$ ./check
password: test
Wrong password, Good Bye ...
this means its simple strcmp that is comparing the password you typed with the correct password. so we can simply use ltrace to trace library calls ... ltrace is used to see what library calls are made during binary execution ... library calls are, when a program calls a function from a file that is shared by multiple programs ... for example checking if input is the correct password is done with library function called strcmp .. it will show function and its input parameters, which then include the password
leviathan1@leviathan:~$ ltrace ./check
__libc_start_main(0x80490ed, 1, 0xffffd474, 0 <unfinished ...>
printf("password: ") = 10
getchar(0, 0, 0x786573, 0x646f67password: hello
) = 104
getchar(0, 104, 0x786573, 0x646f67) = 101
getchar(0, 0x6568, 0x786573, 0x646f67) = 108
strcmp("hel", "sex") = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
) = 29
+++ exited (status 0) +++
so clearly visible its comparing our input "hello" with "sex" so correct password is sex.
lets try by running the binary again and checking the password.
leviathan1@leviathan:~$ ./check
password: sex
$
and indeed yes, we got access to the leviathan 2 shell ... as it was written already above in strings ... /bin/sh
now you can simple find the password from:
$ cat /etc/leviathan_pass/leviathan2
NsN1HwFoyN
here we go another leiathan done!
<!-- truncate -->
