OverTheWire Leviathan Wargame Solution 6

The final stage of Leviathan presents us with a problem that can be solved via some quick bash scripting. The binary in our home directory accepts a 4 digit combination as the password. Iterating through all the possible combination manually would take too much time. So we create a bash script to do this in a matter of seconds.

Leviathan6->7

leviathan6@melinda:~$ ls
leviathan6
leviathan6@melinda:~$ ./leviathan6
usage: ./leviathan6 <4 digit code>
leviathan6@melinda:~$ ./leviathan6 1111
Wrong

# Create a directory in /tmp to work in:
leviathan6@melinda:/$ mkdir /tmp/bashbrute
leviathan6@melinda:/$ cd /tmp/bashbrute/
leviathan6@melinda:/tmp/bashbrute$ nano brute.sh

#Remember to give your script execute privileges
leviathan6@melinda:/tmp/bashbrute$ chmod +x bashbrute.sh

Quick bash script I wrote that will brute force the binary, use this in brute.sh, or create your own…


#!/bin/bash

for i in {0000..9999}
do
~/leviathan6 $i
done

Run the binary and simply wait for it to iterate through all possible number combinations. Note that we could echo out the password when we find it. Here the script will simply input the pass to the binary and pop us into leviathan7’s shell when it finds a match.

#Go ahead and run the script...
leviathan6@melinda:/tmp/bashbrute$ ./bashbrute.sh

#Let it run, takes about 20 seconds...

#Verify we are in Leviathan7's shell:
$ whoami
leviathan7

Alas, we have made it to the final level of Leviathan. Technically we are done. If you want, you can still cat leviathan7’s password and ssh over to the next level. There is a special congratulations message there for the winners.

leviathan7@melinda:~$ ls
CONGRATULATIONS
leviathan7@melinda:~$ cat CON*
Well Done, you seem to have used a *nix system before, now try something more serious.

I hope the Leviathan series has been informative and fun for you as it was for me. You should have picked up some Linux skills as well as a few security skills. The congratulations message encourages us to try something more serious. I think I will begin posting my Natas solutions. Natas is about basic serverside web-security and might be a good change of pace. Stay tuned for future OvertheWire solutions and programming snippets.

Advertisements

2 thoughts on “OverTheWire Leviathan Wargame Solution 6

  1. Way easier than to brute force is just to look into the binary with “objdump -d leviathan6”. This will quickly reveal that the code consist of atoi(argv[1]) and comparing it with 0x1bd3, which was written to the stack before. No brute forcing necessary…

  2. Good eye. As with most of the challenges, there is usually more than one way to solve them…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s