OverTheWire: Leviathan Wargames

My journey through the Leviathan homeland in the planet OverTheWire!

Photo by Soumil Kumar from Pexels

I have always wanted to hop on the “Capture The Flag(CTF)” train but wanted to start somewhere that was beginner friendly. OverTheWire wargames are just that, they help you train in basic skills needed for your pentesting journey in a CTF format.

This post documents my journey through the Leviathan series, the techniques and tools I used, and can also be used as a guide. However, I suggest that you try going through the wargames yourself and refer to this only as a guide when stuck.

Basics:

The levels in the Leviathan series are named as Leviathan0, Leviathan1…. Leviathan7 and can be accessed through SSH on leviathan.labs.overthewire.org and using the port 2223. So to connect your ssh command will look something like this:

ssh {username}@{domain} -p {port}

To login into the first level make use of “leviathan0” as both the username and and password.

ssh leviathan0@leviathan.labs.overthewire.org -p 2223

Enter the password when prompted.

With the Leviathan series, there is no information provided on the website. So, we are on our own!

Level 0 → 1

Initially the ls command reveals the home directory to be empty however using ls -la command reveals that we have hidden directory named .backup. Inside we find a file bookmarks.html. The file seems to contain a very big one liner hence to prevent the headache lets try grep-ing it for password.

leviathan0@leviathan:~$ cat .backup/bookmarks.html | grep password

This reveals the password required to login for the next level. Here we go!

Level 1 → 2

To avoid having to disconnect and reconnect the whole ssh session, I just try to ssh from the current host using,

ssh leviathan1@localhost

This worked for me, but if you have a much simpler solution you are free to follow that.

The home directory contains an executable, which on execution asks for a password. I tried the password we already have but then the executable graciously said this to me,

“Wrong password, Good Bye..”

From here on out the command ltrace is going to be our best friend. So I would recommend that you read through the man page and get acquainted with it. In a nutshell, it shows us what are the processes that take place in the background when we execute something in our case the executable file.

Using ltrace as ltrace ./leviathan2 to track the execution of the program showed that the first three letters of the password are being compared with another string. So, using that string as the password resulted in a shell, voila!

So all I had to do was cheekily access the folder containing the passwords and display its contents using,

$ cat /etc/leviathan_pass/leviathan2

Armed with the password for the next level, I marched on!

Level 2 → 3

This time we have an executable that requires a filename as an argument which then prints out the contents of the file. On closer examination, the executable executed with the permissions of leviathan3 user. Hence I tried leviathan2@leviathan:~$ ./printfile /etc/leviathan_pass/leviathan3 and I got “You cant have that file…”. Worth a try ain’t it?

I now used the linux(I’m using Parrot OS) hidden ability to embed commands in the file name and created file named “file;bash” in the temporary directory. Now the semicolon should denote the end of the file name and hopefully should execute the “bash” command, which then should provide us with a shell.

leviathan2@leviathan:/tmp/tmp.2qG72dJrZt$ ~/printfile “file;bash”
/bin/cat: file: Permission denied
leviathan3@leviathan:/tmp/tmp.2qG72dJrZt$ whoami
leviathan3

And as you can see it did and we are leviathan3 now. Just repeat the process from previous level to view the password for next level from the leviathan_pass directory.

Leviathan 3 → 4

This level is fairly easy and similar to the Level 2. We have an executable, ltrace should reveal another string comparison, copy the comparison string and use it as password to obtain the shell as leviathan4.

leviathan3@leviathan:~$ ./level3
Enter the password> {Comparison_string}
[You’ve got shell]!
$ cat /etc/leviathan_pass/leviathan4

Leviathan 4 →5

Again there is nothing on the home folder, but there is a hidden trash folder which again contains an executable.

Which on execution gives us a long of string of binaries. This is the password for the next level but needs conversion to ASCII. You can either have the binary sets converted using an online binary converter individually or make use of the command line tool bc.

Pass the converted characters to xxd for reverse conversion and you will have the password for the next level.

leviathan4@leviathan:~/.trash$ ./bin | tr “ ““\n” | while read line; do echo “obase=16;ibase=2;$line”|bc; done | tr -d “\n” | xxd -r -p

Leviathan 5 →6

The executable in this level returns “Cannot find /tmp/file.log” when executed. So, I believe we have to create a file called file.log under tmp. I tried embedding a code in the file name like “file.log; bash”, which failed miserably.

So, we can try creating a symbolic link by which I mean to link our file.log file to the leviathan_pass/leviathan6. This allows us to read the contents of the file leviathan_pass/leviathan6 through our file.log file.

leviathan5@leviathan:/tmp$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log

And that works! We have our password for the next level!

Leviathan 6 →7

This level is quite different, the executable requires a four digit pin combination, and if the pin is wrong the shell doesn’t hesitate to shout “Wrong” back in our face.

This means we get to bruteforce the code! Yay! Get your black hat on, wear your hoodie and let’s go.

I made use of a simple script with for loop to loop through the digits from 0000 to 9999. It looks something like this,

leviathan6@leviathan:~$ for pin in {0000..9999}; do echo $pin; ./leviathan6 $pin ; done

It loops through the values, assigns it to the variable $pin which is then provided as an argument for our executable.

And when it finds the correct pin, we are blessed with a shell. Now you just read the password from the password directory and use it for the next level.

Leviathan 7

You are presented with a file that has a secret message for you. I will leave it to you to find it and read through it.

This marks the end of the Leviathan series, kudos to us!

— — — — — — — — — — — — — — — — — — — — — — — — — —

Hope you all were able to go through the series successfully and gain some valuable experience with the command line.

Just keep in mind that this is just one way of solving things, there might still be other much better and simpler way to solve the challenges. Keep exploring!

--

--

--

Anime watching, bingeing, fantasy book reading nerd

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Mageplaza RMA extension for Magento 2 Review

Accessibility in Applications

Google I/O 2018: Integration in the Open

Moving complexity to the correct level: Thinking vs. Doing

SQL: An Overview

SAP ERP- MM Module

Using Traefik as a Layer 7 Ingress Controller in Azure Kubernetes Service

Why it took a decade for me to get into coding

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bharath

Bharath

Anime watching, bingeing, fantasy book reading nerd

More from Medium

THM Advent-of-cyber 2021 Day18

BurpSuite Lab: Excessive trust in client-side controls | WalkThrough

Alkira Cloud Network As-a-Service Advances Security with Cisco Secure Firewall Threat Defense…

Windows Defender Bypass [EN]