OverTheWire Leviathan Wargame Solution 3

For Leviathan 3, we keep things real simple.  We only need a few commands that we are already familiar with to get access to Leviathan4’s shell. When we finally do get his shell, we can cat his password in /etc/leviathan_pass/leviathan4 and correctly log in as him to begin level 4->5. Let’s take a look at my shell output.

Leviathan 3->4:

leviathan3@melissa:~$ ls

#We see a binary, so let's run it:

leviathan3@melissa:~$ ./level3
Enter the password> password
bzzzzzzzzap. WRONG

#Okay, let's see if there are any interesting strings in it:

leviathan3@melissa:~$ strings ./level3
[You've got shell]!
bzzzzzzzzap. WRONG
Enter the password>

#Okay, now we are working with something. The point of interest
#for us will be the snlprintf word. Right after that you see the
#words, "You've got shell!". Let's use that as the password:

leviathan3@melissa:~$ ./level3
Enter the password> snlprintf
[You've got shell]!
$ whoami

#Interesting phenomenon, we have been dumped into Leviathan4's shell
#All that is left to do is cat the password:

$ cat /etc/leviathan_pass/leviathan4

Just like that, we have the password for Leviathan 4. Why though? Some may already be familiar with snprintf in C. I am not familiar with any snlprintf(). So we can assume it is a made up function or actually is the password. Clearly it is a visible string in the binary. If you follow the logic in the strings output, you can crudely tell this is what pops the shell in main.

Other thoughts, maybe the L is for leviathan. One could also try using ltrace on the binary to look for strcmp() or similar functions that have the password as an argument. One could easily spend a fair amount of time trying things out on this challenge, the key is in plain site, but probably not what most people will be looking for.