ssh email@example.com -p 2223
Exploit the SUID Binary to get the next level password stored at /etc/leviathan_pass/leviathan4.
Like we did in the previous Leviathan challenges we’ll use ltrace to understand the execution of the binary:
leviathan3@leviathan:~$ ltrace ./level3 __libc_start_main(0x8048618, 1, 0xffffd744, 0x80486d0 <unfinished ...> strcmp("h0no33", "kakaka") = -1 printf("Enter the password> ") = 20 fgets(Enter the password> aaaaaaa "aaaaaaa\n", 256, 0xf7fc55a0) = 0xffffd550 strcmp("aaaaaaa\n", "snlprintf\n") = -1 puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG ) = 19 +++ exited (status 0) +++
We see two interesting function here, the first strcmp compare two fixed string we don’t know about and the second is comparing our input to another fixed string.
Without lying I don’t really understand the purpose of the first strcmp function here and flaws often include the user input. That’s why we’ll try to input the fixed string in the second strcmp function.
leviathan3@leviathan:~$ ./level3 Enter the password> snlprintf [You've got shell]! $ cat /etc/leviathan_pass/leviathan4 vuH0coox6m
That’s all for this challenge which is similar to Leviathan1.