Posted by 
Challange: There is no information for this level, intentionally.
Seems like we don’t get any information for any challenge. Just like the last one we can SSH into the server with the credentials we got from the last challenge. Command: $ssh leviathan1@leviathan.labs.overthewire.org -p 2223
Lets have a look to see what is in the home directory.
leviathan1@leviathan:~$ ls -lsa
total 28
4 drwxr-xr-x 2 root root 4096 Aug 26 22:26 .
4 drwxr-xr-x 10 root root 4096 Aug 26 22:26 ..
4 -rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
4 -rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
8 -r-sr-x--- 1 leviathan2 leviathan1 7452 Aug 26 22:26 check
4 -rw-r--r-- 1 root root 675 May 15 2017 .profileThere is a file named check. On my screen it has a red block around the name. What type of file is this? If we use the command $file <filename> we can find out.
leviathan1@leviathan:~$ file check
check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c735f6f3a3a94adcad8407cc0fda40496fd765dd, not strippedIt seems like it is an 32 bit LSB executable. Lets run this file, it asks for a password. Tried the password of Leviathan1 but it is wrong.
leviathan1@leviathan:~$ ./check
password: rioGegei8m
Wrong password, Good Bye ...Lets go back and have a look at the permissions. The permissions are
-r-sr-x— 1 leviathan2 leviathan1 7452 Aug 26 22:26 check.
This should mean that the user can read, the group can read and others can execute. The owner is leviathan2 and the group is leviathan1.
If we type in the command $groups we can see that we are member of the leviathan 1 group. Since we are member of the leviathan1 group and that is the group of the file we can read the file, but we can also execute the file since everyone can. If i’m not mistaken the s in the permissions is a SUID bit. Meaning we can run the file as the owner. Lets find some more information about this.
What is SUID and how to set it in Linux?
https://www.linux.com/tutorials/what-suid-and-how-set-suid-linuxunix/
SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it.
However, after reading some more this is not the SUID but the setgid bit. Meaning it will always execute with the permissions of the group.
Unlike the
https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bitssetuidbit, thesetgidbit has effect on both files and directories. In the first case, the file which has thesetgidbit set, when executed, instead of running with the privileges of the group of the user who started it, runs with those of the group which owns the file: in other words, the group ID of the process will be the same of that of the file.
Meaning we can read the executable. How do we do this? I checked the file with strings and tried the couple words that were above the sentence wrong password, but no luck.
leviathan1@leviathan:~$ strings check
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRhp
QVh;
secrf
love
UWVS
t$,U
[^_]
password:
/bin/sh
Wrong password, Good Bye ...Then I tried using hexdump to see if there is anything interesting. Using hexdump we see the following:
leviathan1@leviathan:~$ hexdump -C check
--snip--
00000540 e4 f0 ff 71 fc 55 89 e5 53 51 83 ec 20 c7 45 f0 |...q.U..SQ.. .E.|
00000550 73 65 78 00 c7 45 e9 73 65 63 72 66 c7 45 ed 65 |sex..E.secrf.E.e|
00000560 74 c6 45 ef 00 c7 45 e5 67 6f 64 00 c7 45 e0 6c |t.E...E.god..E.l|
00000570 6f 76 65 c6 45 e4 00 83 ec 0c 68 90 86 04 08 e8 |ove.E.....h.....|
00000580 3c fe ff ff 83 c4 10 e8 44 fe ff ff 88 45 f4 e8 |<.......D....E..|
00000590 3c fe ff ff 88 45 f5 e8 34 fe ff ff 88 45 f6 c6 |<....E..4....E..|
000005a0 45 f7 00 83 ec 08 8d 45 f0 50 8d 45 f4 50 e8 fd |E......E.P.E.P..|
000005b0 fd ff ff 83 c4 10 85 c0 75 2b e8 21 fe ff ff 89 |........u+.!....|
000005c0 c3 e8 1a fe ff ff 83 ec 08 53 50 e8 40 fe ff ff |.........SP.@...|
000005d0 83 c4 10 83 ec 0c 68 9b 86 04 08 e8 20 fe ff ff |......h..... ...|
000005e0 83 c4 10 eb 10 83 ec 0c 68 a3 86 04 08 e8 fe fd |........h.......|
000005f0 ff ff 83 c4 10 b8 00 00 00 00 8d 65 f8 59 5b 5d |...........e.Y[]|
00000600 8d 61 fc c3 66 90 66 90 66 90 66 90 66 90 66 90 |.a..f.f.f.f.f.f.|
00000610 55 57 56 53 e8 57 fe ff ff 81 c3 e7 19 00 00 83 |UWVS.W..........|
00000620 ec 0c 8b 6c 24 20 8d b3 0c ff ff ff e8 43 fd ff |...l$ .......C..|
00000630 ff 8d 83 08 ff ff ff 29 c6 c1 fe 02 85 f6 74 25 |.......)......t%|
00000640 31 ff 8d b6 00 00 00 00 83 ec 04 ff 74 24 2c ff |1...........t$,.|
00000650 74 24 2c 55 ff 94 bb 08 ff ff ff 83 c7 01 83 c4 |t$,U............|
00000660 10 39 fe 75 e3 83 c4 0c 5b 5e 5f 5d c3 8d 76 00 |.9.u....[^_]..v.|
00000670 f3 c3 00 00 53 83 ec 08 e8 f3 fd ff ff 81 c3 83 |....S...........|
00000680 19 00 00 83 c4 08 5b c3 03 00 00 00 01 00 02 00 |......[.........|
00000690 70 61 73 73 77 6f 72 64 3a 20 00 2f 62 69 6e 2f |password: ./bin/|
000006a0 73 68 00 57 72 6f 6e 67 20 70 61 73 73 77 6f 72 |sh.Wrong passwor|
000006b0 64 2c 20 47 6f 6f 64 20 42 79 65 20 2e 2e 2e 00 |d, Good Bye ....|
--snip-A couple words we tried before, like love, secrf. However there is a new word sex. After trying this we got a new shell as the user Leviathan2.
However, we don’t have the password yet. The passwords can be found in /etc/leviatthan_pass. We can reach this with the following commands, since there was no autocomplete I had to check for the file names etc.
$ cd /etc
$ ls
--snip--
console-setup gshadow ld.so.conf.d networks resolv.conf timezone
cron.d gshadow- leviathan_pass newt rmt tmpfiles.d
cron.daily gss libaudit.conf nsswitch.conf rpc ucf.confd
--snip--
$ cd leviathan_pass
$ ls
leviathan0 leviathan1 leviathan2 leviathan3 leviathan4 leviathan5 leviathan6 leviathan7
$ cat leviathan2
ougahZi8TaWe got the password for leviathan2.