Dude is like SUPER into art+music hmmmmmmmm Also most likely a she queen girly (cause like http://groups.yahoo.com/group/girlgroup/) ```html

Claudia Lynch

password to leviathan1 ``` leviathan0: leviathan0 leviathan1: 3QJ3TgzHDq NOTE: `~/check` has the SUID bit set The following script will find the password ("sex"). Run `echo sex | ./check` and then `cat /etc/leviathan_pass/leviathan2` :) ```bash { echo "password" | ltrace ./check 2>&1; } | grep strcmp ``` leviathan2: NsN1HwFoyN NOTE: `~/printfile` has the SUID bit set The obvious idea is: (tragic ending...) ```bash >>> ./printfile /etc/leviathan_pass/leviathan3 #You cant have that file... ``` If we run something like `ltrace ./printfile /etc/os-release` (aka on a file we ARE permitted to) then we'll see the following ```ltrace access("/etc/os-release", 4) = 0 snprintf("/bin/cat /etc/os-release", 511, "/bin/cat %s", "/etc/os-release") = 24 system("/bin/cat /etc/os-release" ``` Yippie!! They're running `/bin/cat` so we can't fool it with an alias, but maybe we exploit the "/bin/cat %s" format string! We'd just need to keep it pleased when it runs `access()` Let's use gdb to skip this part: ```ltrace access("/home/leviathan3/.ssh/id_rsa", 4) = -1 puts("You cant have that file...") ``` First we find `call ` at ``, plus there's: ```gdb 0x08049253 <+125>: test %eax,%eax 0x08049255 <+127>: je 0x804926e ``` Checking `man access(3)` *RETURN VALUE* section we see `access()` returns 0 on success ("the floor here is made out of floor") so let's set a breakpoint on `b *(main+117)` then `jump *(main+152)` and pray nothing breaks.