For Leviathan 3, we keep things real simple. We only need a few commands that we are already familiar with to get access to Leviathan4’s shell. When we finally do get his shell, we can cat his password in /etc/leviathan_pass/leviathan4 and correctly log in as him to begin level 4->5. Let’s take a look at my shell output.
leviathan3@melissa:~$ ls level3 #We see a binary, so let's run it: leviathan3@melissa:~$ ./level3 Enter the password> password bzzzzzzzzap. WRONG #Okay, let's see if there are any interesting strings in it: leviathan3@melissa:~$ strings ./level3 /lib/ld-linux.so.2 __gmon_start__ libc.so.6 _IO_stdin_used __printf_chk puts __stack_chk_fail stdin fgets system __libc_start_main GLIBC_2.4 GLIBC_2.0 GLIBC_2.3.4 PTRh [^_] snlprintf [You've got shell]! /bin/sh bzzzzzzzzap. WRONG Enter the password> secret #Okay, now we are working with something. The point of interest #for us will be the snlprintf word. Right after that you see the #words, "You've got shell!". Let's use that as the password: leviathan3@melissa:~$ ./level3 Enter the password> snlprintf [You've got shell]! $ whoami leviathan4 #Interesting phenomenon, we have been dumped into Leviathan4's shell #All that is left to do is cat the password: $ cat /etc/leviathan_pass/leviathan4 vuH0coox6m
Just like that, we have the password for Leviathan 4. Why though? Some may already be familiar with snprintf in C. I am not familiar with any snlprintf(). So we can assume it is a made up function or actually is the password. Clearly it is a visible string in the binary. If you follow the logic in the strings output, you can crudely tell this is what pops the shell in main.
Other thoughts, maybe the L is for leviathan. One could also try using ltrace on the binary to look for strcmp() or similar functions that have the password as an argument. One could easily spend a fair amount of time trying things out on this challenge, the key is in plain site, but probably not what most people will be looking for.