Challange: There is no information for this level, intentionally.

Seems like we don’t get any information for any challenge. Just like the last one we can SSH into the server with the credentials we got from the last challenge. Command: $ssh leviathan1@leviathan.labs.overthewire.org -p 2223

Lets have a look to see what is in the home directory.

leviathan1@leviathan:~$ ls -lsa
total 28
4 drwxr-xr-x  2 root       root       4096 Aug 26 22:26 .
4 drwxr-xr-x 10 root       root       4096 Aug 26 22:26 ..
4 -rw-r--r--  1 root       root        220 May 15  2017 .bash_logout
4 -rw-r--r--  1 root       root       3526 May 15  2017 .bashrc
8 -r-sr-x---  1 leviathan2 leviathan1 7452 Aug 26 22:26 check
4 -rw-r--r--  1 root       root        675 May 15  2017 .profile

There is a file named check. On my screen it has a red block around the name. What type of file is this? If we use the command $file <filename> we can find out.

leviathan1@leviathan:~$ file check
check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c735f6f3a3a94adcad8407cc0fda40496fd765dd, not stripped

It seems like it is an 32 bit LSB executable. Lets run this file, it asks for a password. Tried the password of Leviathan1 but it is wrong.

leviathan1@leviathan:~$ ./check
password: rioGegei8m
Wrong password, Good Bye ...

Lets go back and have a look at the permissions. The permissions are
-r-sr-x— 1 leviathan2 leviathan1 7452 Aug 26 22:26 check.
This should mean that the user can read, the group can read and others can execute. The owner is leviathan2 and the group is leviathan1.

If we type in the command $groups we can see that we are member of the leviathan 1 group. Since we are member of the leviathan1 group and that is the group of the file we can read the file, but we can also execute the file since everyone can. If i’m not mistaken the s in the permissions is a SUID bit. Meaning we can run the file as the owner. Lets find some more information about this.

What is SUID and how to set it in Linux?
SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it.

https://www.linux.com/tutorials/what-suid-and-how-set-suid-linuxunix/

However, after reading some more this is not the SUID but the setgid bit. Meaning it will always execute with the permissions of the group.

Unlike the setuid bit, the setgid bit has effect on both files and directories. In the first case, the file which has the setgid bit set, when executed, instead of running with the privileges of the group of the user who started it, runs with those of the group which owns the file: in other words, the group ID of the process will be the same of that of the file.

https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits

Meaning we can read the executable. How do we do this? I checked the file with strings and tried the couple words that were above the sentence wrong password, but no luck.

leviathan1@leviathan:~$ strings check
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRhp
QVh;
secrf
love
UWVS
t$,U
[^_]
password:
/bin/sh
Wrong password, Good Bye ...

Then I tried using hexdump to see if there is anything interesting. Using hexdump we see the following:

leviathan1@leviathan:~$ hexdump -C check
--snip--
00000540  e4 f0 ff 71 fc 55 89 e5  53 51 83 ec 20 c7 45 f0  |...q.U..SQ.. .E.|
00000550  73 65 78 00 c7 45 e9 73  65 63 72 66 c7 45 ed 65  |sex..E.secrf.E.e|
00000560  74 c6 45 ef 00 c7 45 e5  67 6f 64 00 c7 45 e0 6c  |t.E...E.god..E.l|
00000570  6f 76 65 c6 45 e4 00 83  ec 0c 68 90 86 04 08 e8  |ove.E.....h.....|
00000580  3c fe ff ff 83 c4 10 e8  44 fe ff ff 88 45 f4 e8  |<.......D....E..|
00000590  3c fe ff ff 88 45 f5 e8  34 fe ff ff 88 45 f6 c6  |<....E..4....E..|
000005a0  45 f7 00 83 ec 08 8d 45  f0 50 8d 45 f4 50 e8 fd  |E......E.P.E.P..|
000005b0  fd ff ff 83 c4 10 85 c0  75 2b e8 21 fe ff ff 89  |........u+.!....|
000005c0  c3 e8 1a fe ff ff 83 ec  08 53 50 e8 40 fe ff ff  |.........SP.@...|
000005d0  83 c4 10 83 ec 0c 68 9b  86 04 08 e8 20 fe ff ff  |......h..... ...|
000005e0  83 c4 10 eb 10 83 ec 0c  68 a3 86 04 08 e8 fe fd  |........h.......|
000005f0  ff ff 83 c4 10 b8 00 00  00 00 8d 65 f8 59 5b 5d  |...........e.Y[]|
00000600  8d 61 fc c3 66 90 66 90  66 90 66 90 66 90 66 90  |.a..f.f.f.f.f.f.|
00000610  55 57 56 53 e8 57 fe ff  ff 81 c3 e7 19 00 00 83  |UWVS.W..........|
00000620  ec 0c 8b 6c 24 20 8d b3  0c ff ff ff e8 43 fd ff  |...l$ .......C..|
00000630  ff 8d 83 08 ff ff ff 29  c6 c1 fe 02 85 f6 74 25  |.......)......t%|
00000640  31 ff 8d b6 00 00 00 00  83 ec 04 ff 74 24 2c ff  |1...........t$,.|
00000650  74 24 2c 55 ff 94 bb 08  ff ff ff 83 c7 01 83 c4  |t$,U............|
00000660  10 39 fe 75 e3 83 c4 0c  5b 5e 5f 5d c3 8d 76 00  |.9.u....[^_]..v.|
00000670  f3 c3 00 00 53 83 ec 08  e8 f3 fd ff ff 81 c3 83  |....S...........|
00000680  19 00 00 83 c4 08 5b c3  03 00 00 00 01 00 02 00  |......[.........|
00000690  70 61 73 73 77 6f 72 64  3a 20 00 2f 62 69 6e 2f  |password: ./bin/|
000006a0  73 68 00 57 72 6f 6e 67  20 70 61 73 73 77 6f 72  |sh.Wrong passwor|
000006b0  64 2c 20 47 6f 6f 64 20  42 79 65 20 2e 2e 2e 00  |d, Good Bye ....|
--snip-

A couple words we tried before, like love, secrf. However there is a new word sex. After trying this we got a new shell as the user Leviathan2.

However, we don’t have the password yet. The passwords can be found in /etc/leviatthan_pass. We can reach this with the following commands, since there was no autocomplete I had to check for the file names etc.

$ cd /etc
$ ls
--snip--
console-setup           gshadow                 ld.so.conf.d     networks        resolv.conf     timezone
cron.d                  gshadow-                leviathan_pass   newt            rmt             tmpfiles.d
cron.daily              gss                     libaudit.conf    nsswitch.conf   rpc             ucf.confd
--snip--
$ cd leviathan_pass
$ ls
leviathan0  leviathan1  leviathan2  leviathan3  leviathan4  leviathan5  leviathan6  leviathan7
$ cat leviathan2
ougahZi8Ta

We got the password for leviathan2.

Leave a Reply

Your email address will not be published. Required fields are marked *