Leviathan Level 1

Again, a ls -al shows us an executable, that is owned by leviathan2 with the suid bit set.

-r-sr-x--- 1 leviathan2 leviathan1 7493 Nov 14  2014 check

It asks for a password, if the password is wrong, it outputs “Wrong password, Good Bye …” and exits.

Let’s open it up in radare2.

$ r2 ./check
[0x08048430]> aa
[0x08048430]> pdf @ sym.main
/ (fcn) sym.main 189
|           ; DATA XREF from 0x08048447 (sym.main)
|           ;-- main:
|           0x0804852d    55             push ebp
|           0x0804852e    89e5           mov ebp, esp
|           0x08048530    83e4f0         and esp, 0xfffffff0
|           0x08048533    83ec30         sub esp, 0x30
|           0x08048536    65a114000000   mov eax, dword gs:[0x14]      ; [0x14:4]=1
|           0x0804853c    8944242c       mov dword [esp + 0x2c], eax
|           0x08048540    31c0           xor eax, eax
|           0x08048542    c74424187365.  mov dword [esp + 0x18], 0x786573 ; [0x786573:4]=-1
|           0x0804854a    c74424257365.  mov dword [esp + 0x25], 0x72636573 ; [0x72636573:4]=-1
|           0x08048552    66c744242965.  mov word [esp + 0x29], 0x7465 ; [0x7465:2]=0xffff
|           0x08048559    c644242b00     mov byte [esp + 0x2b], 0
|           0x0804855e    c744241c676f.  mov dword [esp + 0x1c], 0x646f67 ; [0x646f67:4]=-1
|           0x08048566    c74424206c6f.  mov dword [esp + 0x20], 0x65766f6c ; [0x65766f6c:4]=-1
|           0x0804856e    c644242400     mov byte [esp + 0x24], 0
|           0x08048573    c70424808604.  mov dword [esp], str.password: ; [0x8048680:4]=0x73736170  LEA str.password: ; "password: " @ 0x8048680
|           0x0804857a    e841feffff     call sym.imp.printf
|           0x0804857f    e84cfeffff     call sym.imp.getchar
|           0x08048584    88442414       mov byte [esp + 0x14], al
|           0x08048588    e843feffff     call sym.imp.getchar
|           0x0804858d    88442415       mov byte [esp + 0x15], al
|           0x08048591    e83afeffff     call sym.imp.getchar
|           0x08048596    88442416       mov byte [esp + 0x16], al
|           0x0804859a    c644241700     mov byte [esp + 0x17], 0
|           0x0804859f    8d442418       lea eax, [esp + 0x18]         ; 0x18
|           0x080485a3    89442404       mov dword [esp + 4], eax
|           0x080485a7    8d442414       lea eax, [esp + 0x14]         ; 0x14
|           0x080485ab    890424         mov dword [esp], eax
|           0x080485ae    e8fdfdffff     call sym.imp.strcmp
|           0x080485b3    85c0           test eax, eax
|       ,=< 0x080485b5    750e           jne 0x80485c5
|       |   0x080485b7    c704248b8604.  mov dword [esp], str._bin_sh  ; [0x804868b:4]=0x6e69622f  LEA str._bin_sh ; "/bin/sh" @ 0x804868b
|       |   0x080485be    e83dfeffff     call sym.imp.system
|      ,==< 0x080485c3    eb0c           jmp 0x80485d1
|      |`-> 0x080485c5    c70424938604.  mov dword [esp], str.Wrong_password__Good_Bye_... ; [0x8048693:4]=0x6e6f7257  LEA str.Wrong_password__Good_Bye_... ; "Wrong password, Good Bye ..." @ 0x8048693
|      |    0x080485cc    e81ffeffff     call sym.imp.puts
|      |    ; JMP XREF from 0x080485c3 (sym.main)
|      `--> 0x080485d1    b800000000     mov eax, 0
|           0x080485d6    8b54242c       mov edx, dword [esp + 0x2c]   ; [0x2c:4]=0x280009  ; ','
|           0x080485da    653315140000.  xor edx, dword gs:[0x14]
|           0x080485e1    7405           je 0x80485e8
|           0x080485e3    e8f8fdffff     call sym.imp.__stack_chk_fail
|           0x080485e8    c9             leave
\           0x080485e9    c3             ret

We put several strings on the ESP in the instructions from 0x08048542 to 0x08048566.

Address Hex ASCII
esp + 0x18 0x786573 sex
esp + 0x25 0x72636573 secr
esp + 0x29 0x7465 et
esp + 0x1c 0x646f67 god
esp + 0x20 0x65766f6c love

Then we read 3 characters of the input on 0x0804857f, 0x08048588, 0x08048591 and compare that with the content of esp + 0x18. Let’s try our new password.

[email protected]:~$ ./check
password: sex
$ whoami
leviathan2

Bingo, we’re in! Let’s grab the password and go to the next level.

$ cat /etc/leviathan_pass/leviathan2
ougahZi8Ta
More Reading
Older// About me
comments powered by Disqus