• OverTheWire – Leviathan

  • Back
24 May 2020 by 

If you found my content helpful then please consider supporting me to do even more crazy projects and writeups. Just click the button below to donate.

Leviathan was the second overthewire CTF I tried (after bandit). Leviathan overall is focused mainly on reverse engineering. As such this CTF requires you to get to grips with reverse engineering tools such as GDB and strace/ltrace to progress. The challenges are quite simple once you have the correct tool so I’d definitely recommend this CTF for beginners.


Below I have briefly detailed the tools I used during this CTF.


file [filename] will detail file type


hexdump -C [filename] will dump out file to hexidecimal


strings [filename] will extract strings from file

ltrace, strace

ltrace [executable] and strace [executable] will track library calls and system calls during execution of program


objdump -d [filename] will dissasemble file into assembly code
objdump -x [filename] provides header information for file


gdb is a debugger which allows you to step through program code amoung other things. It’s far too complicated to detail in this small section so I suggest you checkout https://www.youtube.com/watch?v=bWH-nL7v5F4


Hidden backup file in home dir
cat .backup/bookmarks.html | grep overthewire

leviathan1 password: rioGegei8m


strings ./check didn’t produce anything useful
ltrace ./check shows us the password is sex. After login you are in leviathan2 bash

leviathan2 password: ougahZi8Ta


ltrace ./printfile
mkdir "/tmp/tom123456789/"
touch "/tmp/tom123456789/test && bash"

./printfile "/tmp/tom123456789/test && bash"

leviathan3 password: Ahdiemoo1j


Same as leviathan1 – use ltrace to get password

leviathan4 password: vuH0coox6m


ltrace shows that it’s opening leviathan5 pass file. Dumps it as binary to terminal. Reverse to text https://unix.stackexchange.com/questions/98948/ascii-to-binary-and-binary-to-ascii-conversion-tools

leviathan5 password: Tith4cokei


Same as above. ltrace and symlink to password file.

leviathan6 password: UgaoFee4li


ltrace shows not much useful

Use gdb:

gdb --args ./leviathan6 1234
disassemble main 
set disassembly-flavor intel
disassemble main
layout asm (open disassembly)
layout regs (open registers)
break main 
break \*0x0804858f (break at suspected cmp function)
run 9999
si (make a step in asm)
ni (make a next in asm, dont step into functions)
Press <enter> (runs previous command again) till you hit 0x0804858f or press 'c' to continue to 2nd breakpoint
i r (list registers at breakpoint)
x/d $ebp-0xc (view value at memory address that is being compared to eax/input number)

Code revealed as 7123. Gives shell, cat password.

leviathan7 password: ahy7MaeBo9


Congrats you have completed the CTF. Nothing to do for this step.

Other Walkthroughs

I found the following walkthroughs helpful when I was doing this CTF: