Skip to main content

2 posts tagged with "leviathan"

View All Tags

Leviathan 0 to 1

Shubham
Cybersecurity Enthusiast

Leviathan 0 to 1

we already know password for leviathan0 so we will login using ssh
ssh leviathan0@leviathan.labs.overthewire.org -p 2223 then type the password leviathan0

now if you see there are no files that means files are hidden
use ls -la command to list the files that are hidden also

leviathan0@leviathan:~$ ls -la
total 24
drwxr-xr-x 3 root root 4096 Oct 14 09:27 .
drwxr-xr-x 150 root root 4096 Oct 14 09:29 ..
drwxr-x--- 2 leviathan1 leviathan0 4096 Oct 14 09:27 .backup
-rw-r--r-- 1 root root 220 Mar 31 2024 .bash_logout
-rw-r--r-- 1 root root 3851 Oct 14 09:19 .bashrc
-rw-r--r-- 1 root root 807 Mar 31 2024 .profile

here we can clearly see leviathan1 in .backup directory
now change directory to .backup then we have one html file named bookmarks.html, now if you do cat bookmarks.html
thats so long output

leviathan0@leviathan:~/.backup$ cat bookmarks.html | grep leviathan
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is 3QJ3TgzHDq" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>

so we used grep to filter

and yeah we got the password to leviathan 1 this was just practice or you say warm up type question, there was no such reverse engineering stuff as such.

`

Leviathan 1 to 2

Shubham
Cybersecurity Enthusiast

Leviathan 1 to 2

login

ssh leviathan1@leviathan.labs.overthewire.org -p 2223 password : 3QJ3TgzHDq

now use ls to look for the files

leviathan1@leviathan:~$ ls
check
leviathan1@leviathan:~$ file check
check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=990fa9b7d511205601669835610d587780d0195e, for GNU/Linux 3.2.0, not stripped

we also used file check to find out the type of file it is, we found out its elf 32 bit lsb executable

leviathan1@leviathan:~$ strings check | grep leviathan
leviathan1@leviathan:~$ strings check
td8
/lib/ld-linux.so.2
_IO_stdin_used
puts
__stack_chk_fail
system
getchar
__libc_start_main
printf
setreuid
strcmp
geteuid
libc.so.6
GLIBC_2.4
GLIBC_2.34
GLIBC_2.0
__gmon_start__
secr
love
password:
/bin/sh
Wrong password, Good Bye ...
;*2$"0
GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
crt1.o
__abi_tag
__wrap_main
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
check.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
strcmp@GLIBC_2.0
__libc_start_main@GLIBC_2.34
__x86.get_pc_thunk.bx
printf@GLIBC_2.0
getchar@GLIBC_2.0
_edata
_fini
__stack_chk_fail@GLIBC_2.4
geteuid@GLIBC_2.0
__data_start
puts@GLIBC_2.0
system@GLIBC_2.0
__gmon_start__
__dso_handle
_IO_stdin_used
setreuid@GLIBC_2.0
_end
_dl_relocate_static_pie
_fp_hw
__bss_start
__TMC_END__
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got
.got.plt
.data
.bss
.comment

tried piping the output of strings check into grep leviathan but didnt got anything ... then did string check only without piping ... look there carefully

love
password:
/bin/sh
Wrong password, Good Bye ...

run the file

leviathan1@leviathan:~$ ./check
password: test
Wrong password, Good Bye ...

this means its simple strcmp that is comparing the password you typed with the correct password. so we can simply use ltrace to trace library calls ... ltrace is used to see what library calls are made during binary execution ... library calls are, when a program calls a function from a file that is shared by multiple programs ... for example checking if input is the correct password is done with library function called strcmp .. it will show function and its input parameters, which then include the password

leviathan1@leviathan:~$ ltrace ./check
__libc_start_main(0x80490ed, 1, 0xffffd474, 0 <unfinished ...>
printf("password: ") = 10
getchar(0, 0, 0x786573, 0x646f67password: hello
) = 104
getchar(0, 104, 0x786573, 0x646f67) = 101
getchar(0, 0x6568, 0x786573, 0x646f67) = 108
strcmp("hel", "sex") = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
) = 29
+++ exited (status 0) +++

so clearly visible its comparing our input "hello" with "sex" so correct password is sex.
lets try by running the binary again and checking the password.

leviathan1@leviathan:~$ ./check
password: sex
$

and indeed yes, we got access to the leviathan 2 shell ... as it was written already above in strings ... /bin/sh

now you can simple find the password from:

$ cat /etc/leviathan_pass/leviathan2
NsN1HwFoyN

here we go another leiathan done!

`