Prerequisites:-
- Basic Linux knowledge
- Familiarity with C
- Basic bash scripting
Level 0 -> 1
To get into the first level, ssh as leviathan0 into leviathan.labs.overthewire.org
ssh leviathan0@leviathan.labs.overthewire.org -p 2223
This level is pretty simple, we can list out the only file that stands out “.backup”, piping the output to grep we can get the password to leviathan1.
Level 1 -> 2
We have an executable called “check”. Once we try to run it, it prompts for a password.
Running it with ltrace shows us what our input is being compared to, in this case “sex”.
Now all we have to do is use the correct password and cat the /etc/leviathan_pass/leviathan2 file for the next level’s password.
Level 2 -> 3
This one gets a bit more complicated.
We have an executable.. again, obviously, using it to print the next level’s password doesn’t work, so we can exploit it like this.
Create a file in the /tmp directory that injects a command into the executable once it’s run.
touch "/tmp/"file;bash"
Execute “printfile”, passing the file we created earlier.
./printfile /tmp/file\;bash
Now how does this exactly work?
The semicolon followed by “bash” in our filename spawns a shell, and we get leviathan3’s privileges because the SUID bit is set on “printfile”, so once “bash” executes, it will be executed as leviathan3.
Level 3 -> 4
Yet again, another executable.
A subtle trick, but if we examine “strcmp()” using ltrace, we can see that the correct password for the executable is “snlprintf”.
Level 4 -> 5
Back to something simple.
Examining the only interesting directory “.trash”, we find the file “bin” which contains.. you guessed it, binary output.
Google’s your friend here, convert the binary output to ASCII to get the next level’s password.
Level 5 -> 6
The executable “leviathan5” tries to read the file “/tmp/file.log” but can’t find it.
Let’s help it out, create a symbolic link to “/etc/leviathan_pass/leviathan6” and run the executable.
Level 6 -> 7
The most tedious one so far.
We need the correct 4 digit code to run this executable, time to brute force!
Let’s make a temporary directory to house our brute force script.
mktemp -d
Open a file using nano or vim, call it whatever you want. Now for the important part, brute forcing the “leviathan6” script.
Give your brute force script a bit to run, and a little later, we’ll have brute forced the 4 digit code!
Level 7