Leviathan Level 1 → Level 2

From here on out, there are no information on this level. In the home directory, there is an executable file check, so let’s try it. A prompt for password displayed. I type password and reply by Wrong password.

./check
password: password
Wrong password, Good Bye ...

Let’s use gdb. When disassemble main, we got the following:

Dump of assembler code for function main:
 0x080484f4 <+0>: push %ebp
 0x080484f5 <+1>: mov %esp,%ebp
 0x080484f7 <+3>: and $0xfffffff0,%esp
 0x080484fa <+6>: sub $0x30,%esp
 0x080484fd <+9>: mov %gs:0x14,%eax
 0x08048503 <+15>: mov %eax,0x2c(%esp)
 0x08048507 <+19>: xor %eax,%eax
 0x08048509 <+21>: movl $0x786573,0x24(%esp)
 0x08048511 <+29>: movl $0x72636573,0x14(%esp)
 0x08048519 <+37>: movw $0x7465,0x18(%esp)
 0x08048520 <+44>: movb $0x0,0x1a(%esp)
 0x08048525 <+49>: movl $0x646f67,0x28(%esp)
 0x0804852d <+57>: movl $0x65766f6c,0x1b(%esp)
 0x08048535 <+65>: movb $0x0,0x1f(%esp)
 0x0804853a <+70>: mov $0x8048690,%eax
 0x0804853f <+75>: mov %eax,(%esp)
 0x08048542 <+78>: call 0x80483d0 <printf@plt>
 0x08048547 <+83>: call 0x80483e0 <getchar@plt>
 0x0804854c <+88>: mov %al,0x20(%esp)
 0x08048550 <+92>: call 0x80483e0 <getchar@plt>
 0x08048555 <+97>: mov %al,0x21(%esp)
 0x08048559 <+101>: call 0x80483e0 <getchar@plt>
 0x0804855e <+106>: mov %al,0x22(%esp)
 0x08048562 <+110>: movb $0x0,0x23(%esp)
 0x08048567 <+115>: lea 0x24(%esp),%eax
 0x0804856b <+119>: mov %eax,0x4(%esp)
 0x0804856f <+123>: lea 0x20(%esp),%eax
 0x08048573 <+127>: mov %eax,(%esp)
 0x08048576 <+130>: call 0x80483c0 <strcmp@plt>
 0x0804857b <+135>: test %eax,%eax
 0x0804857d <+137>: jne 0x804858d <main+153>
 0x0804857f <+139>: movl $0x804869b,(%esp)
 0x08048586 <+146>: call 0x8048410 <system@plt>
 0x0804858b <+151>: jmp 0x8048599 <main+165>
 0x0804858d <+153>: movl $0x80486a3,(%esp)
 0x08048594 <+160>: call 0x8048400 <puts@plt>
 0x08048599 <+165>: mov $0x0,%eax
 0x0804859e <+170>: mov 0x2c(%esp),%edx
 0x080485a2 <+174>: xor %gs:0x14,%edx
 0x080485a9 <+181>: je 0x80485b0 <main+188>
 0x080485ab <+183>: call 0x80483f0 <__stack_chk_fail@plt>
 0x080485b0 <+188>: leave 
 0x080485b1 <+189>: ret

We can see a few functions such as 3 getchar and strcmp. We test the 3 getchar by pressing enter three times after running the program. The program immediately terminate with wrong password. Using strings on the file will list all the readable string. We can look for a three characters word that is our string.

strings check
/lib/ld-linux.so.2
xRQ|
__gmon_start__
libc.so.6
_IO_stdin_used
puts
__stack_chk_fail
printf
getchar
system
strcmp
__libc_start_main
GLIBC_2.4
GLIBC_2.0
PTRh0
D$,1
D$$sex
secrf
D$(god
love
T$,e3
UWVS
[^_]
password: 
/bin/sh
Wrong password, Good Bye ...
;*2$"

There are few choice, after trying them, the word sex work. I later find out that ltrace gave a even better solution. The library function stcmp is comparing “sex”. When execute the file with the password “sex”, the program spawn a shell.

ltrace ./check
__libc_start_main(0x80484f4, 1, -10268, 0x80485c0, 0x8048630 <unfinished ...>
printf("password: ") = 10
getchar(0x8048690, 32768, 0x8049ff4, 0x80485e1, -1password: sex
) = 115
getchar(0x8048690, 32768, 0x8049ff4, 0x80485e1, -1) = 101
getchar(0x8048690, 32768, 0x8049ff4, 0x80485e1, -1) = 120
strcmp("sex", "sex") = 0
system("/bin/sh"$

While in an elevated permission shell, checking whoami will show that we are now levianthan2! Simply look for the next password in /etc/leviathan_pass/leviathan2 (similar to bandit).

whoami
leviathan2

find / -user leviathan2 2</dev/null
/etc/leviathan_pass/leviathan2
/home/leviathan1/check

cat /etc/leviathan_pass/leviathan2
ougahZi8Ta
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s