<Leviathan> +NOTES.md

2025-07-16 04:17:07 +10:00 · 2025-07-16 04:17:07 +10:00 · b06388a216
commit b06388a216
parent 503a8a0c5c
2 changed files with 1450 additions and 0 deletions
--- a/overthewire/leviathan/NOTES.md
+++ b/overthewire/leviathan/NOTES.md
@ -0,0 +1,51 @@
+Dude is like SUPER into art+music hmmmmmmmm
+Also most likely a she queen girly (cause like http://groups.yahoo.com/group/girlgroup/)
+
+```html
+<!-- potentially her? -->
+<DT><A HREF="mailto:lynch@unt.edu" ADD_DATE="1145267944" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Claudia
+        Lynch</A>
+
+<!-- nevermind even easier (searched for "password" hoping she bookmarked something)-->
+<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is 3QJ3TgzHDq" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>
+```
+
+leviathan0: leviathan0
+leviathan1: 3QJ3TgzHDq
+    NOTE: `~/check` has the SUID bit set
+    The following script will find the password ("sex"). 
+    Run `echo sex | ./check` and then `cat /etc/leviathan_pass/leviathan2` :)
+```bash
+{ echo "password" | ltrace ./check 2>&1; } | grep strcmp
+```
+leviathan2: NsN1HwFoyN
+    NOTE: `~/printfile` has the SUID bit set
+    The obvious idea is: (tragic ending...)
+```bash
+>>> ./printfile /etc/leviathan_pass/leviathan3
+#You cant have that file...  
+```
+    If we run something like `ltrace ./printfile /etc/os-release` (aka on a file we ARE permitted to)
+    then we'll see the following
+```ltrace
+access("/etc/os-release", 4)                                                                                        = 0
+snprintf("/bin/cat /etc/os-release", 511, "/bin/cat %s", "/etc/os-release")                                         = 24
+system("/bin/cat /etc/os-release"
+```
+    Yippie!! They're running `/bin/cat` so we can't fool it with an alias, but maybe
+    we exploit the "/bin/cat %s" format string! We'd just need to keep it pleased
+    when it runs `access()`
+
+    Let's use gdb to skip this part:
+```ltrace
+access("/home/leviathan3/.ssh/id_rsa", 4)                                                                           = -1
+puts("You cant have that file...")
+```
+    First we find `call <access@plt>` at `<main+117>`, plus there's:
+```gdb
+0x08049253 <+125>:   test   %eax,%eax
+0x08049255 <+127>:   je     0x804926e <main+152>
+```
+    Checking `man access(3)` *RETURN VALUE* section we see `access()` returns 0
+    on success ("the floor here is made out of floor") so let's set a breakpoint
+    on `b *(main+117)` then `jump *(main+152)` and pray nothing breaks.
--- a/overthewire/leviathan/leviathan0-bookmarks.html
+++ b/overthewire/leviathan/leviathan0-bookmarks.html