Leviathan was the second overthewire CTF I tried (after bandit). Leviathan overall is focused mainly on reverse engineering. As such this CTF requires you to get to grips with reverse engineering tools such as GDB and strace/ltrace to progress. The challenges are quite simple once you have the correct tool so I’d definitely recommend this CTF for beginners.
Tools
Below I have briefly detailed the tools I used during this CTF.
file
file [filename] will detail file type
hexdump
hexdump -C [filename] will dump out file to hexidecimal
strings
strings [filename] will extract strings from file
ltrace, strace
ltrace [executable] and strace [executable] will track library calls and system calls during execution of program
objdump
objdump -d [filename] will dissasemble file into assembly code
objdump -x [filename] provides header information for file
gdb
gdb is a debugger which allows you to step through program code amoung other things. It’s far too complicated to detail in this small section so I suggest you checkout https://www.youtube.com/watch?v=bWH-nL7v5F4
leviathan0
Hidden backup file in home dir
cat .backup/bookmarks.html | grep overthewire
leviathan1 password: rioGegei8m
leviathan1
strings ./check didn’t produce anything useful
ltrace ./check shows us the password is sex. After login you are in leviathan2 bash
leviathan2 password: ougahZi8Ta
leviathan2
ltrace ./printfile
mkdir "/tmp/tom123456789/"
touch "/tmp/tom123456789/test && bash"
./printfile "/tmp/tom123456789/test && bash"
leviathan3 password: Ahdiemoo1j
leviathan3
Same as leviathan1 – use ltrace to get password
leviathan4 password: vuH0coox6m
leviathan4
ltrace shows that it’s opening leviathan5 pass file. Dumps it as binary to terminal. Reverse to text https://unix.stackexchange.com/questions/98948/ascii-to-binary-and-binary-to-ascii-conversion-tools
leviathan5 password: Tith4cokei
leviathan5
Same as above. ltrace and symlink to password file.
leviathan6 password: UgaoFee4li
leviathan6
ltrace shows not much useful
Use gdb:
gdb --args ./leviathan6 1234
disassemble main
set disassembly-flavor intel
disassemble main
layout asm (open disassembly)
layout regs (open registers)
break main
break \*0x0804858f (break at suspected cmp function)
run 9999
si (make a step in asm)
ni (make a next in asm, dont step into functions)
Press <enter> (runs previous command again) till you hit 0x0804858f or press 'c' to continue to 2nd breakpoint
i r (list registers at breakpoint)
x/d $ebp-0xc (view value at memory address that is being compared to eax/input number)Code revealed as 7123. Gives shell, cat password.
leviathan7 password: ahy7MaeBo9
leviathan7
Congrats you have completed the CTF. Nothing to do for this step.
Other Walkthroughs
I found the following walkthroughs helpful when I was doing this CTF: