This challenge looks a little like one we’ve done before. It asks us for a password, and spits out an error message when we don’t get it right. Falling back to the same old tricks agian, we try strings.
leviathan3@leviathan:~$ strings -d ./level3
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
puts
__stack_chk_fail
stdin
printf
fgets
system
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.4
GLIBC_2.0
PTRh@
snlp
rintf
D$L1
D$#bombf
D$'ad
D$8...s
D$<3cr3f
D$@t
D$*h0nof
D$.33
D$1kakaf
D$5ka
D$B*32.
D$F2*[xf
D$J]
T$Le3
[^_]
[You've got shell]!
/bin/sh
bzzzzzzzzap. WRONG
Enter the password>
;*2$"
secret
leviathan3@leviathan:~$
Secret looks pretty tempting, but trying that one gets us nowhere. I tried a few other strings that looked decent, but again, no joy. I decided to bend the rules here a little and use ltrace. Ltrace is a unix command that will execute whatever program we give it and print out information about what function calls it’s making. The description for this wargrame said we wouldn’t need to be programmers, and this is probably leaning towards the “programmery” side of things. However, it’s still a unix command, so I’m considering it fair game.
leviathan3@leviathan:~$ ltrace ./level3
__libc_start_main(0x80485fe, 1, 0xffffd804, 0x80486d0 <unfinished ...>
strcmp("h0no33", "kakaka") = -1
printf("Enter the password> ") = 20
fgets(Enter the password> stuff
"stuff\n", 256, 0xf7fcbc20) = 0xffffd5fc
strcmp("stuff\n", "snlprintf\n") = 1
puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
) = 19
+++ exited (status 0) +++
leviathan3@leviathan:~$
We can see pretty clearly here that the password we enter is being compared to “snlprintf”. Invoking the program one last time, we enter the correct password and get a shell running as leviathan4.
leviathan3@leviathan:~$ ./level3
Enter the password> snlprintf
[You've got shell]!
$ whoami
leviathan4
$ cat /etc/leviathan_pass/leviathan4
XXXXXXX
$