Access level

ssh -p 2223

Level goal

Exploit the SUID Binary to get the next level password stored at /etc/leviathan_pass/leviathan4.


Like we did in the previous Leviathan challenges we’ll use ltrace to understand the execution of the binary:

leviathan3@leviathan:~$ ltrace ./level3
__libc_start_main(0x8048618, 1, 0xffffd744, 0x80486d0 <unfinished ...>
strcmp("h0no33", "kakaka")                                                                                                       = -1
printf("Enter the password> ")                                                                                                   = 20
fgets(Enter the password> aaaaaaa
"aaaaaaa\n", 256, 0xf7fc55a0)                                                                                              = 0xffffd550
strcmp("aaaaaaa\n", "snlprintf\n")                                                                                               = -1
puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
)                                                                                                       = 19
+++ exited (status 0) +++

We see two interesting function here, the first strcmp compare two fixed string we don’t know about and the second is comparing our input to another fixed string.

Without lying I don’t really understand the purpose of the first strcmp function here and flaws often include the user input. That’s why we’ll try to input the fixed string in the second strcmp function.

leviathan3@leviathan:~$ ./level3
Enter the password> snlprintf
[You've got shell]!
$ cat /etc/leviathan_pass/leviathan4

That’s all for this challenge which is similar to Leviathan1.