<Leviathan> +NOTES.md

2025-07-16 04:17:07 +10:00 · 2025-07-16 04:17:07 +10:00 · b06388a216
commit b06388a216
parent 503a8a0c5c
2 changed files with 1450 additions and 0 deletions
--- a/overthewire/leviathan/NOTES.md
+++ b/overthewire/leviathan/NOTES.md
@ -0,0 +1,51 @@
 Dude is like SUPER into art+music hmmmmmmmm
 Also most likely a she queen girly (cause like http://groups.yahoo.com/group/girlgroup/)
 ```html
 <!-- potentially her? -->
 <DT><A HREF="mailto:lynch@unt.edu" ADD_DATE="1145267944" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Claudia
        Lynch</A>
 <!-- nevermind even easier (searched for "password" hoping she bookmarked something)-->
 <DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is 3QJ3TgzHDq" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>
 ```
 leviathan0: leviathan0
 leviathan1: 3QJ3TgzHDq
    NOTE: `~/check` has the SUID bit set
    The following script will find the password ("sex"). 
    Run `echo sex | ./check` and then `cat /etc/leviathan_pass/leviathan2` :)
 ```bash
 { echo "password" | ltrace ./check 2>&1; } | grep strcmp
 ```
 leviathan2: NsN1HwFoyN
    NOTE: `~/printfile` has the SUID bit set
    The obvious idea is: (tragic ending...)
 ```bash
 >>> ./printfile /etc/leviathan_pass/leviathan3
 #You cant have that file...  
 ```
    If we run something like `ltrace ./printfile /etc/os-release` (aka on a file we ARE permitted to)
    then we'll see the following
 ```ltrace
 access("/etc/os-release", 4)                                                                                        = 0
 snprintf("/bin/cat /etc/os-release", 511, "/bin/cat %s", "/etc/os-release")                                         = 24
 system("/bin/cat /etc/os-release"
 ```
    Yippie!! They're running `/bin/cat` so we can't fool it with an alias, but maybe
    we exploit the "/bin/cat %s" format string! We'd just need to keep it pleased
    when it runs `access()`
    Let's use gdb to skip this part:
 ```ltrace
 access("/home/leviathan3/.ssh/id_rsa", 4)                                                                           = -1
 puts("You cant have that file...")
 ```
    First we find `call <access@plt>` at `<main+117>`, plus there's:
 ```gdb
 0x08049253 <+125>:   test   %eax,%eax
 0x08049255 <+127>:   je     0x804926e <main+152>
 ```
    Checking `man access(3)` *RETURN VALUE* section we see `access()` returns 0
    on success ("the floor here is made out of floor") so let's set a breakpoint
    on `b *(main+117)` then `jump *(main+152)` and pray nothing breaks.
--- a/overthewire/leviathan/leviathan0-bookmarks.html
+++ b/overthewire/leviathan/leviathan0-bookmarks.html