If you found my content helpful then please consider supporting me to do even more crazy projects and writeups. Just click the button below to donate.
Leviathan was the second overthewire CTF I tried (after bandit). Leviathan overall is focused mainly on reverse engineering. As such this CTF requires you to get to grips with reverse engineering tools such as GDB and strace/ltrace to progress. The challenges are quite simple once you have the correct tool so I’d definitely recommend this CTF for beginners.
Below I have briefly detailed the tools I used during this CTF.
file [filename] will detail file type
hexdump -C [filename] will dump out file to hexidecimal
strings [filename] will extract strings from file
ltrace [executable] and
strace [executable] will track library calls and system calls during execution of program
objdump -d [filename] will dissasemble file into assembly code
objdump -x [filename] provides header information for file
gdb is a debugger which allows you to step through program code amoung other things. It’s far too complicated to detail in this small section so I suggest you checkout https://www.youtube.com/watch?v=bWH-nL7v5F4
Hidden backup file in home dir
cat .backup/bookmarks.html | grep overthewire
leviathan1 password: rioGegei8m
strings ./check didn’t produce anything useful
ltrace ./check shows us the password is sex. After login you are in leviathan2 bash
leviathan2 password: ougahZi8Ta
touch "/tmp/tom123456789/test && bash"
./printfile "/tmp/tom123456789/test && bash"
leviathan3 password: Ahdiemoo1j
Same as leviathan1 – use ltrace to get password
leviathan4 password: vuH0coox6m
ltrace shows that it’s opening leviathan5 pass file. Dumps it as binary to terminal. Reverse to text https://unix.stackexchange.com/questions/98948/ascii-to-binary-and-binary-to-ascii-conversion-tools
leviathan5 password: Tith4cokei
Same as above. ltrace and symlink to password file.
leviathan6 password: UgaoFee4li
ltrace shows not much useful
gdb --args ./leviathan6 1234 disassemble main set disassembly-flavor intel disassemble main layout asm (open disassembly) layout regs (open registers) break main break \*0x0804858f (break at suspected cmp function) run 9999 si (make a step in asm) ni (make a next in asm, dont step into functions) Press <enter> (runs previous command again) till you hit 0x0804858f or press 'c' to continue to 2nd breakpoint i r (list registers at breakpoint) x/d $ebp-0xc (view value at memory address that is being compared to eax/input number)
Code revealed as 7123. Gives shell, cat password.
leviathan7 password: ahy7MaeBo9
Congrats you have completed the CTF. Nothing to do for this step.
I found the following walkthroughs helpful when I was doing this CTF: