The challenge is free and is always available to tryout...
Some info provided by the host regarding the difficulty and number of challenges for this particular wargame...
Although the initial password for leviathan0 is not given, or not that I'm aware of... I found out the password to kick off is actually the same as the starting hostname... 'leviathan0'...
Nothing special with the directory, except I have found a '.backup' folder...
Checking out the backup folder and I saw a 'bookmarks.html' file...
Displaying all the contents of the html file is too much and too hard for me to inspect properly to see if any credentials listed to access the next level...
At once, I `cat` all the contents of the html file and `grep` the keyword "password"... and I found the password access to the next level...
so, I do a `ssh leviathan1@localhost` and input the password found earlier... and I got myself as the user leviathan1...
Again, checking out the home directory...and I got a "check" file...
As I am not sure what is the "check" file, I inspect the file using `file` command and it returns that the file is a 32-bit executable file...
I execute the file and it prompted for password...
So, I tried running the file with `ltrace` to see what is happening behind...
I found the strcmp function, which comparing the input with the exact password "sex" here...
Again, I execute the "check" file and input the password "sex"... I was dropped into another shell as user "leviathan2"...
Using the privilege of "leviathan2", I `cat` the password for the user itself at "/etc/leviathan_pass/leviathan2"...
Exited the shell and do `ssh leviathan2@localhost` with the password found earlier to get a more proper shell...
Checking out the files in home directory again... I found the executable "printfile", which literally display the content of the file (something like the `cat` command)...
However, when I tried to display the content of "/etc/leviathan_pass/leviathan3", it failed...
So, I inspect further with the file "printfile" to see if it has any vulnerable point itself...
I tried create a file named as "test file" with the intentional space left in the middle of the file name...
And, checking the back-end running of the "printfile" using the `ltrace`...
From the `ltrace` command, I can see the "printfile" check the permission of the input file using the access() function and `cat` out the content of "test" file and "file" file...
Basically, it `cat` out the content of two files with separated file name instead of one files as inputted...
So, I create a symlink from the "/etc/leviathan_pass/leviathan3" to my current working folder "test" file...
And, when I execute the "printfile" with inputting the "test file" as argument... the system actually `cat` out the content of "test" file instead of "test file"... and with the help of symlink, the "test" file will be pointing to the leviathan3 password file...
Then, continue with `ssh leviathan3@localhost` and input the password...
Checking out the home directory again and found the suspicious "level3" file...
Perform a `strings` on the "level3" file and we can see the message "[You've got shell]!"... and right before the message, we got a string "snlprintf", which is very likely the keyword to pass...
Enter the keyword as password and I'm dropped into the shell as "leviathan4"...
Perform `cat` out the contents of "/etc/leviathan_pass/leviathan4" will provide the password to login as "leviathan4"...
After `ssh leviathan4@localhost`, I checked out the home directory again and saw a "trash" folder...
Inside the "trash" folder contained a executable "bin" file...
`cat` out the content of the "bin" file and we can see some binary '0' and '1'...
Parse it to the online converter and we got the ASCII test as password for next level...
`ssh leviathan5@localhost` and checked out the home directory AGAIN...
`file` inspect on the "leviathan5" file, which is obviously holding the key to the next level...
Tried execute the file, but it shows the message "Cannot find /tmp/file.log"...
A very straightforward hint, that I created the mentioned "/tmp/file.log" and tried execute the "leviathan5" file again...
As expected, it print out the content which I input into the "file.log"...
However, when I tried to `cat` the content of the "file.log" again... system return with a message "No such file or directory"...
So I guess the "leviathan5" file actually remove the "file.log" right after displaying the content of the file...
Hence, I created another symlink to link the password file for leviathan6 at "/etc/leviathan_pass/leviathan6" to "/tmp/file.log" and execute the "leviathan5" file to display the password content...
Login as user "leviathan6" and scouting at the home directory again...
Now I have an executable "leviathan6" file...
Tried run the "leviathan6" file and it asked for a 4-digit code...
Run a very simple bash command to simply brute force the "leviathan6" from 0000 - 9999...
As the iteration running, it finally stopped at code "7123" and immediately dropped into another shell as "leviathan7"...
`cat` out the password content at "/etc/leviathan_pass/leviathan7" and login as "leviathan7"...
After advanced into the final level, there is a "CONGRATULATIONS" note in the home directory...
Read the note and the challenge is completed... :)
No comments:
Post a Comment