OverTheWire Leviathan Wargame Solution 3

For Leviathan 3, we keep things real simple.  We only need a few commands that we are already familiar with to get access to Leviathan4’s shell. When we finally do get his shell, we can cat his password in /etc/leviathan_pass/leviathan4 and correctly log in as him to begin level 4->5. Let’s take a look at my shell output.

Leviathan 3->4:


leviathan3@melissa:~$ ls
level3

#We see a binary, so let's run it:

leviathan3@melissa:~$ ./level3
Enter the password> password
bzzzzzzzzap. WRONG

#Okay, let's see if there are any interesting strings in it:

leviathan3@melissa:~$ strings ./level3
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
__printf_chk
puts
__stack_chk_fail
stdin
fgets
system
__libc_start_main
GLIBC_2.4
GLIBC_2.0
GLIBC_2.3.4
PTRh
[^_]
snlprintf
[You've got shell]!
/bin/sh
bzzzzzzzzap. WRONG
Enter the password>
secret

#Okay, now we are working with something. The point of interest
#for us will be the snlprintf word. Right after that you see the
#words, "You've got shell!". Let's use that as the password:

leviathan3@melissa:~$ ./level3
Enter the password> snlprintf
[You've got shell]!
$ whoami
leviathan4

#Interesting phenomenon, we have been dumped into Leviathan4's shell
#All that is left to do is cat the password:

$ cat /etc/leviathan_pass/leviathan4
vuH0coox6m

Just like that, we have the password for Leviathan 4. Why though? Some may already be familiar with snprintf in C. I am not familiar with any snlprintf(). So we can assume it is a made up function or actually is the password. Clearly it is a visible string in the binary. If you follow the logic in the strings output, you can crudely tell this is what pops the shell in main.

Other thoughts, maybe the L is for leviathan. One could also try using ltrace on the binary to look for strcmp() or similar functions that have the password as an argument. One could easily spend a fair amount of time trying things out on this challenge, the key is in plain site, but probably not what most people will be looking for.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s