Leviathan · OverTheWire

Leviathan Level 2 → Level 3

Level 2

Username : leviathan2
Password :ougahZi8Ta
SSH leviathan.labs.overthewire.org:2223

Solution

Note: To solve this level, I had to refer to other blogs to get the solution. I’ve provided the solution here in my words and added my understanding to it.

To solve this level, we first ssh into the leviathan2 server using the credentials provided above. We can see that there is an executable named ” printfile ” in the folder. The executable fetches the file passed by the user and prints its content on the console. Let’s see what happens if we send the file ” /etc/leviathan_pass/leviathan3 ” to it.

Screenshot from 2017-07-17 15-17-10.png

As we can see, the executable responds with ” You can’t have that file “. I then provided a file that we do have the rights to execute, ” /etc/leviathan_pass/leviathan2 ” and the application prints the contents of the file. To understand the inner working of the the executable, I fired gdb on two different terminals and set breakpoints at function calls to access@plt (b *main+101) and system@plt (b *main+177). On passing different files to these two terminals, we can see that the call to access@plt sets the value of $eax as 0 when our user has the access to the file and sets the value as -1 when our user does not have access to the file. Therefore, to change the course of the program, I set the value of $eax to 0 so that the program continues forward and does not create an error for the time being. For more information on access function, read this link.

Screenshot from 2017-07-17 15-33-42.png

Screenshot from 2017-07-17 15-34-09.pngOn proceeding further with the program, the executable passes “/bin/cat” along with our filename to the system command. If we do not have access to the file, the system command throws a permission error, otherwise, the contents of the file are printed. At this point, I tried creating a temporary file symbolic linked to the password file and hoping that the system function call to /bin/cat would not throw any errors as I do have the access to the file I created which is linked to the password file, however, that did not work. After several attempts at changing the call structure of gdb by modifying variables, I couldn’t print the file.

At this point, I decided to search for hints and found a few blogs which identified them. The trick is to use the symbolic link in a different way.

Screenshot from 2017-07-18 10-32-46.png

As we can see above, I created the following two files:

SecurityTimes with a symbolic link to the password file.
SecurityTimes solution

The exploit works in the following way: We pass the file “SecurityTimes solution” to the printfile executable. The file clears the access() function as the function looks at the complete filepath and as we can see, our user has the access to the file. Next, during the creation of the “/bin/cat” statement, the function assumes that these are two different files and not just one since there is a space between them. Thus, the function tries to print these two different files and since the first half of the filename exists, it prints the contents of that file which is symbolically linked to the password file. We can also create a file with the second half of the filename and put some content in it. Once the executable runs, contents of both the files would be displayed.

Screenshot from 2017-07-18 10-46-26.png

As you can see above, the executable displays our password and the content from our “solution” file.

Level 3

Username : leviathan3
Password : Ahdiemoo1j
SSH : leviathan.labs.overthewire.org:2223 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s