Leviathan Level 2 → Level 3 | Learn Basic Exploitation Techniques
Learn linux command by playing Leviathan
wargame from OverTheWire. This wargame doesn’t require any knowledge about programming - just a bit of common sense and some knowledge about basic *nix commands.
Below is the solution of Level 2 → Level 3. In this post we will learn how to use a debugging tool ltrace to exploit a program and a vulnerability in access() known as TOCTOU race (Time of Check to Time of Update). We will learn how to create symbolic files in Linux.
Command to login is
ssh firstname.lastname@example.org -p 2223
and password is
In the directory we have a binary file printfile
which can run as user leviathan3. Using this file we tried to see the password for next level using command
but we received an output “You cant have that file…
with the above command
ltrace ./printfile /etc/leviathan_pass/leviathan3
we found that access function returns
, that means we do not have read permissions for the file. But we have read permission for the file /etc/leviathan_pass/leviathan2
After running command
ltrace ./printfile /etc/leviathan_pass/leviathan2
we found that first
for the file means we have read permission for it. Then function
writes a string consisting of /bin/cat
and file path. Then function
is called which displays the content of the file.
int access(const char *pathname, int mode);
checks whether the calling process can access the file pathname
. If pathname
is a symbolic link, it is dereferenced.
specifies the accessibility
to be performed and
specifies read permission.
On success (all requested permissions granted),
is returned. On error (at least one bit in mode asked for a permission that is denied, or some other error occurred),
int snprintf( char * restrict dest, size_t n, const char * restrict format, ... );
function is similar to
, but writes its output as a string in the buffer referenced by the first pointer argument, dest
, rather than to stdout. Furthermore, the second argument, n
, specifies the maximum number of characters that
may write to the buffer, including the terminating null character.
The return value is the number of characters (not counting the terminating null character) that would have been written if n had been large enough.
function has a vulnerability TOCTOU race
(Time of Check to Time of Update
). The program calls the
, then it calls the
. In the small time between the two calls, the file may have changed. A malicious user could substitute a file he has access to for a symbolic link to something he doesn’t have access to between the
So we create a file symlink with symbolic link to /etc/leviathan_pass/leviathan3. But we cannot pass symlink with binary file, so we create another file a space. The name of another file is symlink space. Instead if creating two files we can create on file symlink space.
We pass symlink space
with the binary file and the
function will accept the complete path of the file but /bin/cat will treat symlink
as different files and it will only accept the symlink
. When the
function is called it will output the content in the file linked by symlink
touch symlink\ space
Command to create symbolic link
ln -s /etc/leviathan_pass/leviathan3 /tmp/pc123/symlink
Then run command
./printfile /tmp/pc123/symlink\ space
and the password is
Subscribe to get your daily round-up of top tech stories!