NOTE

I am seeking a full-time position in (southern) Germany or Switzerland starting from October related to my skills as demonstrated on this blog. If you know of any opportunities please message me on LinkedIn or via mail under hkopp22 (at) yahoo (dot) de.


Intro

Leviathan is a hacking wargame by the geniuses of overthewire. Its main focus is on reversing. This is a writeup of their challenges. I edited out the passwords, so whenever you encounter stars (*), this was a password. If you have not done these exercises yet, I urge you to do them by yourself to maximize the learning factor and only read the writeups where you are completely stuck. Have fun reading.

Level 0

First, we need to ssh to leviathan0@leviathan.labs.overthewire.org. The first password is simply leviathan0, as mentioned on the website. After connecting to the server, we find… well, basically nothing, but a file .backup/bookmarks.html.
How about we grep there?

$ grep -i levia .backup/bookmarks.html 
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is ******" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>

Bam! Done.

Level 1

In Level 1, there is an executable called check with the suid bit set. Let us disassemble it:

leviathan1@melinda:~$ r2 -A check
[0x08048430]> pdf @sym.main
/ (fcn) sym.main 189
|           ; DATA XREF from 0x08048447 (sym.main)
|           ;-- main:
|           0x0804852d    55             push ebp
|           0x0804852e    89e5           mov ebp, esp
|           0x08048530    83e4f0         and esp, 0xfffffff0
|           0x08048533    83ec30         sub esp, 0x30
|           0x08048536    65a114000000   mov eax, dword gs:[0x14]      ; [0x14:4]=1
|           0x0804853c    8944242c       mov dword [esp + 0x2c], eax
|           0x08048540    31c0           xor eax, eax
|           0x08048542    c74424187365.  mov dword [esp + 0x18], 0x786573 ; [0x786573:4]=-1
|           0x0804854a    c74424257365.  mov dword [esp + 0x25], 0x72636573 ; [0x72636573:4]=-1
|           0x08048552    66c744242965.  mov word [esp + 0x29], 0x7465 ; [0x7465:2]=0xffff 
|           0x08048559    c644242b00     mov byte [esp + 0x2b], 0
|           0x0804855e    c744241c676f.  mov dword [esp + 0x1c], 0x646f67 ; [0x646f67:4]=-1
|           0x08048566    c74424206c6f.  mov dword [esp + 0x20], 0x65766f6c ; [0x65766f6c:4]=-1
|           0x0804856e    c644242400     mov byte [esp + 0x24], 0
|           0x08048573    c70424808604.  mov dword [esp], str.password: ; [0x8048680:4]=0x73736170  LEA str.password: ; "password: " @ 0x8048680
|           0x0804857a    e841feffff     call sym.imp.printf
|           0x0804857f    e84cfeffff     call sym.imp.getchar
|           0x08048584    88442414       mov byte [esp + 0x14], al
|           0x08048588    e843feffff     call sym.imp.getchar
|           0x0804858d    88442415       mov byte [esp + 0x15], al
|           0x08048591    e83afeffff     call sym.imp.getchar
|           0x08048596    88442416       mov byte [esp + 0x16], al
|           0x0804859a    c644241700     mov byte [esp + 0x17], 0
|           0x0804859f    8d442418       lea eax, [esp + 0x18]         ; 0x18 
|           0x080485a3    89442404       mov dword [esp + 4], eax
|           0x080485a7    8d442414       lea eax, [esp + 0x14]         ; 0x14 
|           0x080485ab    890424         mov dword [esp], eax
|           0x080485ae    e8fdfdffff     call sym.imp.strcmp
|           0x080485b3    85c0           test eax, eax
|       ,=< 0x080485b5    750e           jne 0x80485c5                
|       |   0x080485b7    c704248b8604.  mov dword [esp], str._bin_sh  ; [0x804868b:4]=0x6e69622f  LEA str._bin_sh ; "/bin/sh" @ 0x804868b
|       |   0x080485be    e83dfeffff     call sym.imp.system
|      ,==< 0x080485c3    eb0c           jmp 0x80485d1                
|      ||   ; JMP XREF from 0x080485b5 (sym.main)
|      |`-> 0x080485c5    c70424938604.  mov dword [esp], str.Wrong_password__Good_Bye_... ; [0x8048693:4]=0x6e6f7257  LEA str.Wrong_password__Good_Bye_... ; "Wrong password, Good Bye ..." @ 0x8048693
|      |    0x080485cc    e81ffeffff     call sym.imp.puts
|      |    ; JMP XREF from 0x080485c3 (sym.main)
|      `--> 0x080485d1    b800000000     mov eax, 0
|           0x080485d6    8b54242c       mov edx, dword [esp + 0x2c]   ; [0x2c:4]=0x280009  ; ','
|           0x080485da    653315140000.  xor edx, dword gs:[0x14]
|           0x080485e1    7405           je 0x80485e8                 
|           0x080485e3    e8f8fdffff     call sym.imp.__stack_chk_fail
|           ; JMP XREF from 0x080485e1 (sym.main)
|           0x080485e8    c9             leave
\           0x080485e9    c3             ret

We see that the program asks for a password. Then it reads three characters into al (sym.imp.getchar) and writes them to the stack. The three characters are compared to something on the stack (sym.imp.strcmp) and depending on equality we jump to a wrong password section or we get a shell (bin/sh). We want to have the shell. So we need to see, what is compared. A little bit above, there are some things written to the stack at the mov dword stuff. In the following dump I have added comments by changing the hex into ascii-characters.

0x08048542    c74424187365.  mov dword [esp + 0x18], 0x786573 ; sex
0x0804854a    c74424257365.  mov dword [esp + 0x25], 0x72636573 ; secr
0x08048552    66c744242965.  mov word [esp + 0x29], 0x7465 ; et
0x08048559    c644242b00     mov byte [esp + 0x2b], 0
0x0804855e    c744241c676f.  mov dword [esp + 0x1c], 0x646f67 ; god
0x08048566    c74424206c6f.  mov dword [esp + 0x20], 0x65766f6c ; love
0x0804856e    c644242400     mov byte [esp + 0x24], 0

We have sex, secret, god, and love. Sex is written on the top of the stack, so it should be the correct password. And indeed. We have to type it in, get the suid-bash and read out the password for the next level.

leviathan1@melinda:~$ ./check 
password: sex
$ cat /etc/leviathan_pass/leviathan2
******

Level 2

Level 2 is interesting. We have a file, called printfile, which takes a file as argument and prints its input if the file has the correct permissions.

To check the permissions, it calls access on the whole filename. Printing is done with /bin/cat %s. I make an example:

leviathan2@melinda:/tmp/hkoppwashere$ echo "aa" > a
leviathan2@melinda:/tmp/hkoppwashere$ ~/printfile a                    
aa

With ltrace, we can see the library calls. ltrace is to libraries, what strace is to syscalls:

leviathan2@melinda:/tmp/hkoppwashere$ ltrace ~/printfile /tmp/hkoppwashere/a
__libc_start_main(0x804852d, 2, 0xffffd734, 0x8048600 <unfinished ...>
access("/tmp/hkoppwashere/a", 4)                                                                           = 0
snprintf("/bin/cat /tmp/hkoppwashere/a", 511, "/bin/cat %s", "/tmp/hkoppwashere/a")                        = 28
system("/bin/cat /tmp/hkoppwashere/a"aa
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                                                     = 0
+++ exited (status 0) +++

This one took me some time to get. The main idea is looking at what happens if we give it a filename with spaces in it. If we have a file called a b, then it checks if we have the correct access rights to the file a b, and then executes cat a b, which of course is something completely different. To exploit this behavior, we create a symbolic link to /etc/leviathan_pass/leviathan3, called a and a file called a b, where we have the correct permissions. Finally we execute printfile on a b. The permission of a b will be checked, resulting in the execution of cat a b. The first one gives us the content of /etc/leviathan_pass/leviathan3, since it is a symbolic link. And b gives us an error, since it does not exist.

leviathan2@melinda:/tmp/hkoppwashere$ ln -s /etc/leviathan_pass/leviathan3 a
leviathan2@melinda:/tmp/hkoppwashere$ touch a\ b
leviathan2@melinda:/tmp/hkoppwashere$ ~/printfile a\ b 
******
/bin/cat: b: No such file or directory

On to the next level.

Level 3

We have a sweet little file called level3. We load it into radare2 and take a look.

leviathan3@melinda:~$ r2 -A level3
[0x08048450]> pdf @sym.main
/ (fcn) sym.main 201
|           ; DATA XREF from 0x08048467 (sym.main)
|           ;-- main:
|           0x080485fe    55             push ebp                      ; level3.c:24  
|           0x080485ff    89e5           mov ebp, esp
|           0x08048601    83e4f0         and esp, 0xfffffff0
|           0x08048604    83ec50         sub esp, 0x50
|           0x08048607    65a114000000   mov eax, dword gs:[0x14]      ; [0x14:4]=1 ; level3.c:24  
|           0x0804860d    8944244c       mov dword [esp + 0x4c], eax
|           0x08048611    31c0           xor eax, eax
|           0x08048613    c7442423626f.  mov dword [esp + 0x23], 0x626d6f62 ; [0x626d6f62:4]=-1 ; level3.c:25  
|           0x0804861b    66c744242761.  mov word [esp + 0x27], 0x6461 ; [0x6461:2]=0xffff 
|           0x08048622    c644242900     mov byte [esp + 0x29], 0
|           0x08048627    c74424382e2e.  mov dword [esp + 0x38], 0x732e2e2e ; [0x732e2e2e:4]=-1 ; level3.c:26  
|           0x0804862f    c744243c3363.  mov dword [esp + 0x3c], 0x33726333 ; [0x33726333:4]=-1
|           0x08048637    66c744244074.  mov word [esp + 0x40], 0x74   ; [0x74:2]=1 ; 't'
|           0x0804863e    c744242a6830.  mov dword [esp + 0x2a], 0x6f6e3068 ; [0x6f6e3068:4]=-1 ; level3.c:28  
|           0x08048646    66c744242e33.  mov word [esp + 0x2e], 0x3333 ; [0x3333:2]=0xffff 
|           0x0804864d    c644243000     mov byte [esp + 0x30], 0
|           0x08048652    c74424316b61.  mov dword [esp + 0x31], 0x616b616b ; [0x616b616b:4]=-1 ; level3.c:29  
|           0x0804865a    66c74424356b.  mov word [esp + 0x35], 0x616b ; [0x616b:2]=0xffff 
|           0x08048661    c644243700     mov byte [esp + 0x37], 0
|           0x08048666    c74424422a33.  mov dword [esp + 0x42], 0x2e32332a ; [0x2e32332a:4]=-1 ; level3.c:30  
|           0x0804866e    c7442446322a.  mov dword [esp + 0x46], 0x785b2a32 ; [0x785b2a32:4]=-1
|           0x08048676    66c744244a5d.  mov word [esp + 0x4a], 0x5d   ; [0x5d:2]=0x481  ; ']'
|           0x0804867d    8d442431       lea eax, [esp + 0x31]         ; 0x31  ; '1' ; level3.c:33  
|           0x08048681    89442404       mov dword [esp + 4], eax
|           0x08048685    8d44242a       lea eax, [esp + 0x2a]         ; 0x2a  ; '*'
|           0x08048689    890424         mov dword [esp], eax
|           0x0804868c    e83ffdffff     call sym.imp.strcmp
|           0x08048691    85c0           test eax, eax
|       ,=< 0x08048693    7508           jne 0x804869d                
|       |   0x08048695    c744241c0100.  mov dword [esp + 0x1c], 1     ; level3.c:34  
|       |   ; JMP XREF from 0x08048693 (sym.main)
|       `-> 0x0804869d    c704248f8704.  mov dword [esp], str.Enter_the_password_ ; [0x804878f:4]=0x65746e45  LEA str.Enter_the_password_ ; "Enter the password> " @ 0x804878f ; level3.c:36  
|           0x080486a4    e837fdffff     call sym.imp.printf
|           0x080486a9    e89ffeffff     call sym.do_stuff             ; level3.c:38  
|           0x080486ae    b800000000     mov eax, 0                    ; level3.c:40  
|           0x080486b3    8b54244c       mov edx, dword [esp + 0x4c]   ; [0x4c:4]=5 ; 'L' ; level3.c:41  
|           0x080486b7    653315140000.  xor edx, dword gs:[0x14]
|           0x080486be    7405           je 0x80486c5                 
|           0x080486c0    e83bfdffff     call sym.imp.__stack_chk_fail
|           ; JMP XREF from 0x080486be (sym.main)
|           0x080486c5    c9             leave
\           0x080486c6    c3             ret

There is a bunch of stuff which gets moved around and compared at 0x08048691. This is just to confuse us, since it is not processing any input from us. Then it asks for a password and calls sym.do_stuff. This seems important, so let us check that.

[0x08048450]> pdf @sym.do_stuff
/ (fcn) sym.do_stuff 177
|           ; arg int arg_665_2    @ ebp+0xa66
|           ; arg int arg_471538588_3 @ ebp+0x706c6e73
|           ; arg int arg_488348252_2 @ ebp+0x746e6972
|           ; var int local_0_1    @ ebp-0x1
|           ; var int local_3      @ ebp-0xc
|           ; var int local_67     @ ebp-0x10c
|           ; var int local_69_3   @ ebp-0x117
|           ; CALL XREF from 0x080486a9 (sym.do_stuff)
|           0x0804854d    55             push ebp                      ; level3.c:7  
|           0x0804854e    89e5           mov ebp, esp
|           0x08048550    81ec28010000   sub esp, 0x128
|           0x08048556    65a114000000   mov eax, dword gs:[0x14]      ; [0x14:4]=1 ; level3.c:7  
|           0x0804855c    8945f4         mov dword [ebp-local_3], eax
|           0x0804855f    31c0           xor eax, eax
|           0x08048561    c785e9feffff.  mov dword [ebp-local_69_3], 0x706c6e73 ; [0x706c6e73:4]=-1 ; level3.c:9  
|           0x0804856b    c785edfeffff.  mov dword [ebp - 0x113], 0x746e6972 ; [0x746e6972:4]=-1
|           0x08048575    66c785f1feff.  mov word [ebp - 0x10f], 0xa66 ; [0xa66:2]=0
|           0x0804857e    c685f3feffff.  mov byte [ebp - 0x10d], 0
|           0x08048585    a13ca00408     mov eax, dword [obj.stdin__GLIBC_2.0] ; [0x804a03c:4]=0x203a4343  LEA section..bss ; "CC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2" @ 0x804a03c ; level3.c:10  
|           0x0804858a    89442408       mov dword [esp + 8], eax
|           0x0804858e    c74424040001.  mov dword [esp + 4], 0x100    ; [0x100:4]=0x80487a4 section..eh_frame_hdr
|           0x08048596    8d85f4feffff   lea eax, [ebp-local_67]
|           0x0804859c    890424         mov dword [esp], eax
|           0x0804859f    e84cfeffff     call sym.imp.fgets
|           0x080485a4    8d85e9feffff   lea eax, [ebp-local_69_3]     ; level3.c:12  
|           0x080485aa    89442404       mov dword [esp + 4], eax
|           0x080485ae    8d85f4feffff   lea eax, [ebp-local_67]
|           0x080485b4    890424         mov dword [esp], eax
|           0x080485b7    e814feffff     call sym.imp.strcmp
|           0x080485bc    85c0           test eax, eax
|       ,=< 0x080485be    751a           jne 0x80485da                
|       |   0x080485c0    c70424608704.  mov dword [esp], str._You_ve_got_shell__ ; [0x8048760:4]=0x756f595b  LEA str._You_ve_got_shell__ ; "[You've got shell]!" @ 0x8048760 ; level3.c:13  
|       |   0x080485c7    e844feffff     call sym.imp.puts
|       |   0x080485cc    c70424748704.  mov dword [esp], str._bin_sh  ; [0x8048774:4]=0x6e69622f  LEA str._bin_sh ; "/bin/sh" @ 0x8048774 ; level3.c:14  
|       |   0x080485d3    e848feffff     call sym.imp.system
|      ,==< 0x080485d8    eb0c           jmp 0x80485e6                
|      ||   ; JMP XREF from 0x080485be (sym.do_stuff)
|      |`-> 0x080485da    c704247c8704.  mov dword [esp], str.bzzzzzzzzap._WRONG ; [0x804877c:4]=0x7a7a7a62  LEA str.bzzzzzzzzap._WRONG ; "bzzzzzzzzap. WRONG" @ 0x804877c ; level3.c:16  
|      |    0x080485e1    e82afeffff     call sym.imp.puts
|      |    ; JMP XREF from 0x080485d8 (sym.do_stuff)
|      `--> 0x080485e6    b800000000     mov eax, 0                    ; level3.c:19  
|           0x080485eb    8b55f4         mov edx, dword [ebp-local_3]  ; level3.c:20  
|           0x080485ee    653315140000.  xor edx, dword gs:[0x14]
|           0x080485f5    7405           je 0x80485fc                 
|           0x080485f7    e804feffff     call sym.imp.__stack_chk_fail
|           ; JMP XREF from 0x080485f5 (sym.do_stuff)
|           0x080485fc    c9             leave
\           0x080485fd    c3             ret

Some stuff is moved around and then compared against our input at 0x080485b7. Depending on the correctness we either get the shell at 0x080485cc or jump over it to the badboy at 0x080485da. We could compute the ASCII from the values on the stack, which is not hard, but we already did something similar in Level 1. So I am going to show an alternative approach. Just wrap it in ltrace.

leviathan3@melinda:~$ ltrace ./level3
__libc_start_main(0x80485fe, 1, 0xffffd794, 0x80486d0 <unfinished ...>
strcmp("h0no33", "kakaka")                          = -1
printf("Enter the password> ")                      = 20
fgets(Enter the password> hkopp is a genius
"hkopp is a genius\n", 256, 0xf7fcac20)       = 0xffffd58c
strcmp("hkopp is a genius\n", "snlprintf\n")        = -1
puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
)                          = 19
+++ exited (status 0) +++

We can see the first comparison which was there to confuse us. It compares “h0no33” against “kakaka”. This always fails. Next, we should enter the password. I entered “hkopp is a genius” which got compared against the string “snlprintf”. And since it is not equal we go to the loser. Now it is clear what we need to do. The password for the file is “snlprintf” which grants us a shell allowing us to read out the password for the next level.

leviathan3@melinda:~$ ./level3 
Enter the password> snlprintf
[You've got shell]!
$ cat /etc/leviathan_pass/leviathan4
******

Done.

Level 4

This level is pretty straightforward to solve by educated guessing.

leviathan4@leviathan:~$ ls -la
total 28
drwxr-xr-x  4 leviathan4 leviathan4 4096 Oct  3 09:54 .
drwxr-xr-x 11 root       root       4096 Oct  3 09:54 ..
-rw-r--r--  1 leviathan4 leviathan4  220 Apr  9  2014 .bash_logout
-rw-r--r--  1 leviathan4 leviathan4 3637 Apr  9  2014 .bashrc
drwx------  2 leviathan4 leviathan4 4096 Oct  3 09:54 .cache
-rw-r--r--  1 leviathan4 leviathan4  675 Apr  9  2014 .profile
dr-xr-x---  2 root       leviathan4 4096 Oct  2 04:15 .trash
leviathan4@leviathan:~$ cd .trash/
leviathan4@leviathan:~/.trash$ ls
bin
leviathan4@leviathan:~/.trash$ ./bin 
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010 

This is binary. If you throw this into one of the online binary to ASCII converters, you get the password for the next level.

Level 5

In this level we have a binary which cats the content of a file called /tmp/file.log and then removes that file, by calling unlink. So we simply link /tmp/file.log to our passwordfile.

leviathan5@leviathan:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
leviathan5@leviathan:~$ ./leviathan5
******

Level 6

leviathan6@leviathan:~$ ./leviathan6 
usage: ./leviathan6 <4 digit code>
leviathan6@leviathan:~$ ./leviathan6 1111
Wrong
leviathan6@leviathan:~$ ./leviathan6 2222
Wrong

Okay, so we have to guess a password. Since there are not that many possibilities we can resolve to brute-forcing. The script then drops us to a shell and we can retrieve the password for the next level.

leviathan6@leviathan:~$ for i in $(seq 9999); do ./leviathan6 $i; done|grep -v Wrong
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
-bash: fork: retry: No child processes
whoami
leviathan7
cat /etc/leviathan_pass/leviathan7
******
exit

Level 7

Well, actually this is not really a level. Just some congratulations, that we made it.



Published

26 May 2018

Category

CTF Writeups

Tags