Open in app

Sign in

Write

Sign in

OverTheWire : Leviathan war-game walkthrough

Shanika Perera
6 min readJun 20, 2018

Hope you’re having a good day. So, I’m currently on vacation and I was looking for something to do. Then I remembered about the war-games that we did in our university. It’s from a website called ‘OverTheWire.org’ which contains some amazing games that anyone can play. Each game consists of many different levels. 0th level username and password is given to you. You have to access the war-game through SSH or whatever the instruction given and you have to find the password for the next level which is hidden somewhere in the level.

I already completed Bandit and Natas war-games. I will publish a walk-through for those two games in the meantime. Today I’m going to walk you through the game called ‘Leviathan’. Leviathan is a war-game that has been rescued from the demise of intruded.net, previously hosted on leviathan.intruded.net which now you have access from HERE. It contains 8 levels and classified as 1/10 difficulty. Over the description of the website it says ;

This war-game doesn't require any knowledge about programming - just a bit of common sense and some knowledge about basic *nix commands. We had no idea that it'd be this hard to make an interesting war-game that wouldn't require programming abilities from the players. Hopefully we made an interesting challenge for the new ones

So, here we go! 🙂

If you already familiar with OverTheWire war-games, they usually tell us the instructions or at least give some kind of hints to gain the password to the next level. But in Leviathan it doesn’t give any kind of information about what we have to do, which means we are on our own.

LEVEL 0

Level 0 username and password is already mentioned in the website. You have to gain access to the SSH session of leviathan0 and provide your username which is ‘leviathan0’ and password which is ‘leviathan0’.

LEVEL 0 -> 1

When you access the level 0 and perform a ls command, there’s nothing particular to be visible. So, we will perform a ls -al command to see whether there are any contents hidden.

Of course there is 😉 As you can see, there is a directory called ‘backup’. We’ll go inside the directory and there you’ll be able to find a html file called ‘bookmarks.html’. Most probably the password must be hidden somewhere in that file. We’ll open in it in the vi editor and search for a string ‘levaithan1’.

There we go! Password for the level 1 is ‘rioGegei8m’.

Level 1 -> 2

We are currently on level 1. Let’s perform a ls command. There you will find an executable called ‘check’. We’ll run it and see what happens.

When we execute it, it asks for a password. Then it must be hard coded to the executable to check for a specific password, compare it and then gain access to the next level password. Let’s run a ltrace command and check whether what kind of libraries calls for this program.

As you guys can see, the program compares the user input using a strcmp command with a string called ‘sex’ (Why though? 😛 ). Let’s try that.

All the passwords are stored in a directory called ‘leviathan_pass’. You have to be on the correct level to access the password file of the specific level. As in this we are currently on leviathan 2 level which means we have access to its password file.

Password for level 2 is ‘ougahZi8Ta’.

Level 2 -> 3

Once you gain access to level 2, You can see there’s an executable again called ‘printfile’. When you run it, it’ll say that it needs a file as an input. So, we’ll create a temporary file in /tmp folder and run a ltrace command.

As you can see, it runs a function called ‘access()’ and it checks the permission based on the process’ real user ID rather than the effective user ID. If you run a ls -al you’ll see that the printfile executable has leviathan3’s privileges which means if we somehow get access to the password file in /etc/leviathan_pass, we have access to the next level password.

/bin/cat is called to output the contents of the file. What if we give a file name that contains space in middle? It will probably takes the first part of the filename before the space as the file name and run it. What we can do here is that we can link the actual password file to the file we created now with a space in it and when we run a ltrace it will link the files and we’ll gain access to the password file.

Password for the level 3 is ‘Ahdiemoo1j’.

LEVEL 3 -> 4

Another executable! Here’s a tip for you. Whenever you access a new level first thing to do is run a ls -al command. It’ll make it easier for you to figure out what to do next with whatever the output you get. Back to this. Again it asks for a password. So, we’ll run a ltrace command and see.

This is tricky. There are two strcmps so we have to figure out what is the correct one. the strcmp that compares with the input password is the second one. Here we have the password which is ‘snlprintf’. Let’s try that.

Password for the level 4 is ‘vuH0coox6m’.

LEVEL 4 -> 5

You know the routine 😉 ls -al to the rescue! There’s a hidden directory called ‘.trash’. If we go inside, we’ll be able to see an executable called ‘bin’. If we run it, you’ll be able to see a binary code which might be the next level password.

What you have to do now is to convert this binary code into ASCII. There are many online converters and I used binaryhexconverter.

Password for level 5 is ‘Tith4cokei’.

LEVEL 5 -> 6

When you enter to level 5, you’ll be able to see an executable called ‘leviathan5’. If we execute it, it says ‘Cannot find /tmp/file.log’. We’ll run a ltrace.

Well! This is interesting. The program is running a fopen on /tmp/file.log on read mode. We’ll do what we did on level 2. We’ll link the leviathan6 password file to the log file because we have access to the password file. And then if we run the executable again it will run the password file.

Password for the level 6 is ‘UgaoFee4li’.

LEVEL 6 ->7

‘leviathan6’. Another executable. When we run it, it asks for a 4 digit code. I ran the ltrace command but unfortunately it doesn’t have a hard-coded digit code. Things are about to get interesting 😉

We’ll simply write a for loop to generate every possible 4 digit code there is from 0000 to 9999 and run it against this executable file.

It takes about 10 seconds to find the correct pattern which is 7123 and when its matched you will get a shell. We’ll run a whoami command to check where we are and as we are on leviathan7 we’ll access its password file for the next level.

Password for the level 7 is ‘ahy7MaeBo9’.

LEVEL 7 -> 8

Hallelujah! You have successfully conquered leviathan war-game.

Stay tuned for more cool stuff!

Originally published at shdotni.wordpress.com on June 20, 2018.

Programming
Overthewire
Leviathan

--

--

Shanika Perera

Written by Shanika Perera

129 Followers

Infrastructure Security Engineer | WSO2 | CKA | AWS SysOps Administrator | HashiCorp Certified Terraform Associate

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams