• OverTheWire – Leviathan

  • Back
 by 

If you found my content helpful then please consider supporting me to do even more crazy projects and writeups. Just click the button below to donate.

Leviathan was the second overthewire CTF I tried (after bandit). Leviathan overall is focused mainly on reverse engineering. As such this CTF requires you to get to grips with reverse engineering tools such as GDB and strace/ltrace to progress. The challenges are quite simple once you have the correct tool so I’d definitely recommend this CTF for beginners.

Tools

Below I have briefly detailed the tools I used during this CTF.

file

file [filename] will detail file type

hexdump

hexdump -C [filename] will dump out file to hexidecimal

strings

strings [filename] will extract strings from file

ltrace, strace

ltrace [executable] and strace [executable] will track library calls and system calls during execution of program

objdump

objdump -d [filename] will dissasemble file into assembly code
objdump -x [filename] provides header information for file

gdb

gdb is a debugger which allows you to step through program code amoung other things. It’s far too complicated to detail in this small section so I suggest you checkout https://www.youtube.com/watch?v=bWH-nL7v5F4

leviathan0

Hidden backup file in home dir
cat .backup/bookmarks.html | grep overthewire

leviathan1 password: rioGegei8m

leviathan1

strings ./check didn’t produce anything useful
ltrace ./check shows us the password is sex. After login you are in leviathan2 bash

leviathan2 password: ougahZi8Ta

leviathan2

ltrace ./printfile
mkdir "/tmp/tom123456789/"
touch "/tmp/tom123456789/test && bash"

./printfile "/tmp/tom123456789/test && bash"

leviathan3 password: Ahdiemoo1j

leviathan3

Same as leviathan1 – use ltrace to get password

leviathan4 password: vuH0coox6m

leviathan4

ltrace shows that it’s opening leviathan5 pass file. Dumps it as binary to terminal. Reverse to text https://unix.stackexchange.com/questions/98948/ascii-to-binary-and-binary-to-ascii-conversion-tools

leviathan5 password: Tith4cokei

leviathan5

Same as above. ltrace and symlink to password file.

leviathan6 password: UgaoFee4li

leviathan6

ltrace shows not much useful

Use gdb:

gdb --args ./leviathan6 1234
disassemble main 
set disassembly-flavor intel
disassemble main
layout asm (open disassembly)
layout regs (open registers)
break main 
break \*0x0804858f (break at suspected cmp function)
run 9999
si (make a step in asm)
ni (make a next in asm, dont step into functions)
Press <enter> (runs previous command again) till you hit 0x0804858f or press 'c' to continue to 2nd breakpoint
i r (list registers at breakpoint)
x/d $ebp-0xc (view value at memory address that is being compared to eax/input number)

Code revealed as 7123. Gives shell, cat password.

leviathan7 password: ahy7MaeBo9

leviathan7

Congrats you have completed the CTF. Nothing to do for this step.

Other Walkthroughs

I found the following walkthroughs helpful when I was doing this CTF: