Leviathan Walkthrough

Leviathan Level 0

Objective: Locate and extract a hidden password from backup files.

Begin by connecting to the Leviathan server using SSH:

ssh leviathan0@leviathan.labs.overthewire.org -p 2223

When prompted for a password, enter: leviathan0

Once connected, start by exploring your environment. List all files in the home directory, including hidden ones:

ls -la

You'll notice a hidden directory called .backup. Hidden files and directories (those starting with a dot) are commonly used to store configuration data or, in CTF challenges, important clues.

Navigate into the backup directory:

cd .backup
ls -la

Inside, you'll find a file named bookmarks.html. This appears to be a web browser bookmarks file containing various URLs.

Rather than using cat to display the entire file (which could be lengthy), use less for better navigation:

less bookmarks.html

Within less, search for password-related content by typing / followed by your search term:

/password

Press Enter to search, and use n to find the next occurrence if needed.

You should discover a bookmark entry that contains the password for the next level embedded within the URL.

Key Learnings:

This level teaches the importance of thorough file system exploration and introduces the concept that sensitive information is often hidden in unexpected places. The less command's search functionality (/pattern) is invaluable for quickly finding specific content in large files, making it superior to cat for investigative work.

Leviathan Level 1

Objective: Reverse engineer a password-checking executable to discover its authentication mechanism.

Connect to level 1 using the password discovered in the previous level:

ssh leviathan1@leviathan.labs.overthewire.org -p 2223

Explore the directory structure:

ls -la

You'll find an executable file named check. This is a binary program that we need to analyze.

First, examine the file's properties:

file check

This command reveals information about the file type, architecture, and whether it's stripped of debugging symbols.

Execute the program to understand its expected behavior:

./check

The program prompts you to enter a password. Try a few common passwords like "password", "admin", or "123456" to see how it responds.

Since trying passwords manually is inefficient, use dynamic analysis to understand what the program is actually checking. The ltrace command traces library function calls made by the program:

ltrace ./check

When prompted for a password, enter any test string (e.g., "test"). The ltrace output will show library function calls, including string comparison functions.

Look for a line containing strcmp - this function compares two strings. You should see something like:

strcmp("test", "sex") = 19

This reveals that the program is comparing your input against the hardcoded string "sex". Now run the program again with the correct password:

./check

Enter: sex

Success! The program should provide you with a shell or display the next level's password.

Key Learnings:

This level introduces dynamic binary analysis using ltrace, which is essential for understanding program behavior without access to source code. The strcmp function is commonly used for string comparisons in C programs, and observing its parameters through ltrace is a fundamental reverse engineering technique. This approach works because many simple authentication mechanisms rely on plaintext string comparisons.

Leviathan Level 2

Objective: Exploit a file-reading program through symbolic link manipulation to access restricted files.

Log in to level 2:

ssh leviathan2@leviathan.labs.overthewire.org -p 2223

Examine the available files:

ls -la

You'll find an executable called printfile. Let's understand its functionality.

First, run the program without arguments to see its usage:

./printfile

The program expects a filename as an argument and presumably prints the file's contents.

Test it with a file you know you can read:

./printfile /etc/passwd

This should successfully display the contents of the passwd file.

Now, attempt to read the password file for the next level:

./printfile /etc/leviathan_pass/leviathan3

This will fail with a permission denied error, indicating the program has some access control mechanism.

To understand the program's behavior better, use ltrace:

ltrace ./printfile /etc/passwd

Observe the system calls made by the program. You might see calls to access() or stat() functions that check file permissions.

The key insight is that some programs check permissions on the file path provided, but then open and read the actual file. If we can create a symbolic link, the permission check might pass on the link while the actual read operation accesses the target file.

Create a working directory in /tmp (a location where you have write permissions):

mkdir /tmp/lev2
cd /tmp/lev2

Create a symbolic link pointing to the restricted password file:

ln -s /etc/leviathan_pass/leviathan3 mylink

Verify the symbolic link was created correctly:

ls -la mylink

You should see the link pointing to the target file.

Now use the printfile program with your symbolic link:

/home/leviathan2/printfile mylink

If successful, this will display the password for level 3.

Key Learnings:

This level teaches symbolic link exploitation, a common technique in privilege escalation scenarios. The vulnerability occurs when programs perform security checks on symbolic links themselves rather than their targets, or when there's a race condition between the check and the actual file operation. Understanding the difference between symbolic links and hard links, and how programs interact with them, is crucial for both exploitation and defensive programming.

Leviathan Level 3

Objective: Analyze a binary that implements a simple authentication scheme and extract the correct credentials.

Connect to level 3:

ssh leviathan3@leviathan.labs.overthewire.org -p 2223

Explore the directory contents:

ls -la

You'll find a binary named level3.

Execute the program to understand its behavior:

./level3

The program prompts for a password, similar to the previous level's check program.

Rather than guessing, use dynamic analysis immediately. Run the program under ltrace:

ltrace ./level3

When prompted, enter a test password like "test" or "password".

Examine the ltrace output carefully. Look for strcmp function calls that compare your input with the expected password. You should see something like:

strcmp("test", "snlprintf") = ...

The exact string may vary, but you'll be able to identify the hardcoded password the program expects.

Run the program again with the discovered password:

./level3

Enter the password revealed by ltrace (likely "snlprintf" or similar).

Upon successful authentication, you should be granted access to a shell or receive the next level's password.

Key Learnings:

This level reinforces the dynamic analysis techniques learned in level 1, demonstrating that the same approach can be applied to different binaries. It also highlights why hardcoded passwords in binaries are a significant security vulnerability - they can be easily discovered through reverse engineering. In real-world scenarios, this technique is often the first step in analyzing unknown malware or proprietary software.

Leviathan Level 4

Objective: Discover hidden directories, analyze binary output, and convert encoded data to readable format.

Log in to level 4:

ssh leviathan4@leviathan.labs.overthewire.org -p 2223

Perform a comprehensive directory listing:

ls -la

Notice the presence of a hidden directory called .trash.

Navigate into the hidden directory:

cd .trash
ls -la

Inside, you'll find an executable named bin.

Execute the binary to observe its behavior:

./bin

The program outputs a long string of binary digits (0s and 1s). This appears to be binary-encoded data that needs to be converted to human-readable format.

Capture the output for analysis:

./bin > binary_output.txt
cat binary_output.txt

The output is a sequence of binary digits representing ASCII characters. Each group of 8 bits represents one ASCII character. To convert this manually or programmatically, you need to:

1. Split the binary string into 8-bit chunks
2. Convert each 8-bit binary number to decimal
3. Convert the decimal number to its corresponding ASCII character

If Python is available on the system, you can convert the binary directly:

python3 -c "
binary_string = '''$(./bin)'''
ascii_result = ''.join([chr(int(binary_string[i:i+8], 2)) for i in range(0, len(binary_string), 8)])
print(ascii_result)
"

Alternatively, you can copy the binary output and use an online binary-to-ASCII converter.

The decoded message should reveal the password for the next level.

Key Learnings:

This level teaches data encoding and decoding concepts, specifically binary-to-ASCII conversion. Understanding different data representation formats (binary, hexadecimal, Base64, etc.) is crucial in cybersecurity for analyzing malware, network traffic, and encoded payloads. The level also reinforces the importance of thoroughly exploring file systems, including hidden directories that may contain crucial information.

Leviathan Level 5

Objective: Exploit a program's file handling mechanism using symbolic links to redirect file operations.

Connect to level 5:

ssh leviathan5@leviathan.labs.overthewire.org -p 2223

Examine the available files:

ls -la

You'll find an executable named leviathan5.

Run the program to understand its expected behavior:

./leviathan5

The program likely displays an error message indicating it cannot find a specific file, probably /tmp/file.log.

Use ltrace to analyze the program's system calls:

ltrace ./leviathan5

The trace should reveal that the program attempts to open /tmp/file.log for reading. When this file doesn't exist, the program fails.

You can also use strace to see system calls:

strace ./leviathan5

Look for open() or openat() system calls that show which files the program is trying to access.

The exploit strategy is to create a symbolic link from the expected file path to the password file we want to read. This way, when the program tries to read /tmp/file.log, it will actually read the password file.

Create the symbolic link:

ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log

Verify the symbolic link was created correctly:

ls -la /tmp/file.log

You should see the link pointing to the password file.

Now execute the program again:

./leviathan5

The program should now successfully read and display the contents of the password file through the symbolic link.

Key Learnings:

This level demonstrates another application of symbolic link exploitation, showing how programs that expect specific file paths can be manipulated. It also introduces the use of strace for system call tracing, which complements ltrace for understanding program behavior. The combination of static analysis (understanding what the program should do) and dynamic analysis (observing what it actually does) is a fundamental approach in reverse engineering and vulnerability research.

Leviathan Level 6

Objective: Develop and implement an automated brute-force attack against a PIN-protected program.

Log in to level 6:

ssh leviathan6@leviathan.labs.overthewire.org -p 2223

Explore the directory structure:

ls -la

You'll find an executable named leviathan6.

Test the program's functionality:

./leviathan6

The program displays a usage message indicating it expects a 4-digit code as a command-line argument.

Try the program with a sample PIN:

./leviathan6 1234

The program responds with "Wrong" for incorrect codes.

Test a few more codes to understand the pattern:

./leviathan6 0000
./leviathan6 9999

Since there are 10,000 possible 4-digit combinations (0000-9999), manual testing would be impractical. This scenario calls for automation through scripting.

Create a working directory for our script:

mkdir /tmp/lev6_work
cd /tmp/lev6_work

Create a brute-force script using your preferred text editor:

nano brute_force.sh

Implement a comprehensive brute-force script:

#!/bin/bash

echo "Starting brute-force attack on leviathan6..."
echo "Testing PIN range: 0000-9999"
echo "This may take several minutes..."

start_time=$(date +%s)
attempts=0

for pin in {0000..9999}
do
    attempts=$((attempts + 1))
    
    # Run the program and capture both stdout and stderr
    result=$(~/leviathan6 $pin 2>&1)
    
    # Check if the result doesn't contain "Wrong"
    if [[ $result != *"Wrong"* ]]; then
        end_time=$(date +%s)
        duration=$((end_time - start_time))
        
        echo ""
        echo "SUCCESS!"
        echo "Found correct PIN: $pin"
        echo "Program output: $result"
        echo "Total attempts: $attempts"
        echo "Time elapsed: ${duration} seconds"
        break
    fi
    
    # Progress indicator - show every 500 attempts
    if [ $((attempts % 500)) -eq 0 ]; then
        echo "Progress: Tested $attempts PINs (current: $pin)..."
    fi
done

echo "Brute-force attack completed."

Make the script executable and run it:

chmod +x brute_force.sh
./brute_force.sh

The script will systematically try each PIN combination until it finds the correct one. The correct PIN is typically around 7123, and the program will display the password when the correct PIN is entered.

For faster execution, you could also use a one-liner approach:

for pin in {0000..9999}; do result=$(~/leviathan6 $pin 2>&1); if [[ $result != *"Wrong"* ]]; then echo "PIN: $pin, Result: $result"; break; fi; done

Key Learnings:

This level teaches practical automation techniques for security testing, specifically brute-force attacks against weak authentication mechanisms. The bash range expansion {0000..9999} provides an efficient way to generate sequential numbers with leading zeros. The level also demonstrates why proper rate limiting, account lockouts, and strong authentication mechanisms are crucial in real-world applications. From a defensive perspective, this attack could be detected through monitoring for repeated failed authentication attempts from the same source.

Leviathan Level 7

Objective: Complete the Leviathan wargame and reflect on the skills acquired throughout the challenge series.

Log in to the final level:

ssh leviathan7@leviathan.labs.overthewire.org -p 2223

Explore the directory to find the completion message:

ls -la

You should see a file named CONGRATULATIONS.

Read the congratulations message:

cat CONGRATULATIONS

Challenge Complete!

Congratulations on completing the Leviathan wargame! This achievement demonstrates your growing proficiency in binary analysis and exploitation techniques.

Skills and Techniques Mastered:

Dynamic Binary Analysis

• Using ltrace to trace library function calls and identify authentication mechanisms
• Employing strace to monitor system calls and understand program behavior
• Analyzing program flow and identifying security vulnerabilities through runtime observation

File System Exploitation

• Symbolic link manipulation for privilege escalation and access control bypass
• Understanding the difference between file path validation and actual file access
• Exploiting programs that trust user-controlled file paths

Data Analysis and Conversion

• Binary-to-ASCII conversion and understanding different data encoding schemes
• Pattern recognition in program output and encoded data
• Using command-line tools and scripting for data manipulation

Automation and Scripting

• Developing bash scripts for automated security testing
• Implementing brute-force attacks with progress monitoring
• Understanding when manual analysis should be supplemented with automation

Security Concepts

• Hardcoded credentials as a security vulnerability
• Time-of-check to time-of-use (TOCTOU) race conditions
• Weak authentication mechanisms and their exploitation
• The importance of input validation and secure coding practices

Real-World Applications:

The techniques learned in Leviathan have direct applications in:

• Penetration Testing: Analyzing binaries during security assessments
• Malware Analysis: Understanding malicious software behavior
• Incident Response: Investigating compromised systems and understanding attack vectors
• Secure Development: Identifying and preventing common vulnerabilities in your own code

Recommended Next Steps:

OverTheWire Challenges

• Narnia: Stack-based buffer overflow exploitation
• Behemoth: Advanced binary exploitation and reverse engineering
• Utumno: Complex multi-stage exploitation challenges
• Maze: Network protocol analysis and exploitation

Advanced Learning Platforms

• HackTheBox: Real-world machine exploitation scenarios
• TryHackMe: Structured learning paths for cybersecurity skills
• PicoCTF: Competition-style challenges covering various security domains
• Exploit Education: Phoenix and other advanced exploitation challenges

Specialized Tools to Explore

• Ghidra: NSA's free reverse engineering tool
• IDA Pro: Industry-standard disassembler and debugger
• GDB: GNU debugger for dynamic analysis
• Burp Suite: Web application security testing

The foundation you've built through Leviathan provides an excellent stepping stone to more advanced cybersecurity challenges. Each technique mastered here will prove valuable as you tackle increasingly complex scenarios in your cybersecurity journey.