Computer Security

#1 Wargame leviathan1 (Level0 ~ Level2), radare2 본문

Wargame:leviathan

#1 Wargame leviathan1 (Level0 ~ Level2), radare2

쿠리 Kuri 2022. 7. 26. 18:30

일단 leviathan 같은경우 힌트가 주어지지 않는다!

Data for the levels can be found in the homedirectories. You can look at /etc/leviathan_pass for the various level passwords. 

 /etc/leviathan_pass 에 해당 leviathan의 비밀번호가 있다 한다.

Level0 -> Level1

 

1. 가장 기본적으로 ls -al 명령어를 이용해 어떤 파일들이 있는지 확인 해보자.

leviathan0@leviathan:~$ ls -al
total 24
drwxr-xr-x  3 root       root       4096 Aug 26  2019 .
drwxr-xr-x 10 root       root       4096 Aug 26  2019 ..
drwxr-x---  2 leviathan1 leviathan0 4096 Aug 26  2019 .backup
-rw-r--r--  1 root       root        220 May 15  2017 .bash_logout
-rw-r--r--  1 root       root       3526 May 15  2017 .bashrc
-rw-r--r--  1 root       root        675 May 15  2017 .profile

 

 

 

2.cd .backup으로 들어가서 backup의 내용을 확인 해보자.

leviathan0@leviathan:~$ cd .backup
leviathan0@leviathan:~/.backup$ ls -al
total 140
drwxr-x--- 2 leviathan1 leviathan0   4096 Aug 26  2019 .
drwxr-xr-x 3 root       root         4096 Aug 26  2019 ..
-rw-r----- 1 leviathan1 leviathan0 133259 Aug 26  2019 bookmarks.html

 

 

 

3.bookmarks.html 파일이 있으니 읽어 보자!

leviathan0@leviathan:~/.backup$ cat bookmarks.html
<DT><A HREF="http://atrios.blogspot.com/" ADD_DATE="1118289835" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Reality-Based Community</A>
<DT><A HREF="http://www.gadflyonline.com/" ADD_DATE="1150111492" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Gadfly Online</A>
<DT><A HREF="http://gawker.com" ADD_DATE="1101344921" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Gawker</A>
<DT><A HREF="http://laweekly.com/" ADD_DATE="1103050763" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">L.A. Weekly</A>
<DT><A HREF="http://whatisthemessage.blogspot.com/" ADD_DATE="1100588795" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">McLuhan-oriented</A>
<DT><A HREF="http://newyorkobserver.com/index_go.html" ADD_DATE="1140447749" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">New York Observer</A>

<DT><A HREF="http://nypress.com/" ADD_DATE="1147157615" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">New York Press</A>
<DT><A HREF="http://newyorker.com/" ADD_DATE="1111452000" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">The New Yorker</A>
<DT><A HREF="http://theonion.com/" ADD_DATE="1111348814" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">The Onion</A>
<DT><A HREF="http://www.paved.ca" ADD_DATE="1138792542" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Paved</A>
<DT><A HREF="http://www.poynter.org/column.asp?id=45" ADD_DATE="1127620409" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Romenesko</A>
<DT><A HREF="http://www.salon.com" ADD_DATE="1145791074" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Salon</A>
<DT><A HREF="http://seattleweekly.com/" ADD_DATE="1138310979" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Seattle Weekly</A>
<DT><A HREF="http://slate.msn.com" ADD_DATE="1138597774" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Slate</A>
<DT><A HREF="http://www.talkingpointsmemo.com/" ADD_DATE="1132449141" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Talking Points Memo</A>

<DT><A HREF="http://www.technorati.com/" ADD_DATE="1101195779" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Technorati</A>
<DT><A HREF="http://www.popfactor.com/tmftml/" ADD_DATE="1125605546" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">TMFTML</A>
<DT><A HREF="http://www.kentucker.net/" ADD_DATE="1132767920" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Ken Tucker</A>
<DT><A HREF="http://www.villagevoice.com/" ADD_DATE="1142982434" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">The Village Voice</A>
<DT><A HREF="http://jameswolcott.com" ADD_DATE="1132742272" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">James Wolcott</A>
<DT><A HREF="http://wonkette.com/" ADD_DATE="1136698535" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Wonkette</A>
<DT><A HREF="http://rockcriticslinks.blogspot.com/2006/05/unclassifiable-at-any-speed.html" ADD_DATE="1115543737" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">scott&nbsp;&nbsp;# 10:02 PM</A>
<DT><A HREF="http://www.blogger.com/post-edit.g?blogID=20555422&amp;postID=114818420723428345&amp;quickEdit=true" ADD_DATE="1106107942" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71"><span class="quick-edit-icon">&nbsp;</span></A>
<DT><A HREF="http://www.dissensus.com/" ADD_DATE="1156764829" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Dissensus</A>

<DT><A HREF="http://groups.yahoo.com/group/girlgroup/" ADD_DATE="1111744232" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Girl Group Mailing List</A>
<DT><A HREF="http://ilx.wh3rd.net/newquestions.php?board=2" ADD_DATE="1127933066" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">I Love Music</A>
<DT><A HREF="http://ilx.wh3rd.net/newquestions.php?board=1" ADD_DATE="1129129574" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">I Love Everthing</A>
<DT><A HREF="http://rockcriticslinks.blogspot.com/2006/05/chats.html" ADD_DATE="1112723149" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">scott&nbsp;&nbsp;# 9:50 PM</A>
<DT><A HREF="http://www.blogger.com/post-edit.g?blogID=20555422&amp;postID=114818435509754093&amp;quickEdit=true" ADD_DATE="1155588908" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71"><span class="quick-edit-icon">&nbsp;</span></A>
<DT><A HREF="http://www.chictribute.com/index2.html" ADD_DATE="1153283458" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Chic</A>
<DT><A HREF="http://www.drummerworld.com/" ADD_DATE="1140777901" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Drummers</A>
<DT><A HREF="http://www.girl-groups.com/" ADD_DATE="1113627599" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Girl Groups</A>
<DT><A HREF="http://hometown.aol.co.uk/glamrockbear/" ADD_DATE="1143143806" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Glam Rock</A>

<DT><A HREF="http://www.jgeoff.com/godfather/gf1/" ADD_DATE="1142071680" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">The Godfather</A>
<DT><A HREF="http://guitar-masters.com/Guitars/" ADD_DATE="1116627220" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Guitars</A>
<DT><A HREF="http://www.ktelclassics.com/" ADD_DATE="1143681459" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">K-Tel</A>
<DT><A HREF="http://www.maxskansascity.com/" ADD_DATE="1122268285" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Max's</A>
<DT><A HREF="http://www.planetmellotron.com/" ADD_DATE="1103533691" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Mellotrons</A>
<DT><A HREF="http://www.scorsesefilms.com/" ADD_DATE="1155082316" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Martin Scorsese</A>
<DT><A HREF="http://homepage.mac.com/johnhyde/Events184.html" ADD_DATE="1133565956" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Scritti Politti</A>
<DT><A HREF="http://www.theshangri-las.com/Shadow%20Morton%20interview.htm" ADD_DATE="1142275091" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Shadow</A>
<DT><A HREF="http://www.sparks-fanatics.com/" ADD_DATE="1122451582" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Sparks</A>

<DT><A HREF="http://www.synthfool.com/pics.html" ADD_DATE="1119105886" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Synthesizers</A>
<DT><A HREF="http://www.msu.edu/user/svoboda1/taxi_driver/" ADD_DATE="1120334926" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Travis</A>
<DT><A HREF="http://www.paramountclassics.com/virginsuicides/html_3/" ADD_DATE="1100798213" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Virgin Suicides</A>
<DT><A HREF="http://www.warholstars.org/" ADD_DATE="1151503884" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">Warhol</A>
<DT><A HREF="http://www.x-rayspex.com/" ADD_DATE="1121479563" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">X-Ray Spex</A>


</DL><p>

뭐 이런 html 파일이 보여진다.

 

 

 

4.이 html 파일안에 laviathan1의 비밀번호가 있는지 grep 명령어를 이용해 확인 해보자.

leviathan0@leviathan:~/.backup$ grep password bookmarks.html
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, 
the password for leviathan1 is rioGegei8m" 
ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>

the password for leviathan1 is rioGegei8m 이라는 문구가 보인다!  leviathan1의 비밀번호가 rioGegei8m 라는 것 같다.

 

 

 

5. 위에서 얻은 leviathan1의 비밀번호:rioGegei8m 를 이용해 leviathan1에 접속하면 성공!

--[ Tools ]--

 For your convenience we have installed a few usefull tools which you can find
 in the following locations:

    * pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
    * peda (https://github.com/longld/peda.git) in /usr/local/peda/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)
    * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh

--[ More information ]--

  For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/

  For support, questions or comments, contact us through IRC on
  irc.overthewire.org #wargames.

  Enjoy your stay!

leviathan1@leviathan:~$

Level1 -> Level2

일단 이 문제에선 radare2 를 사용하여 풀 것이다.

 

radare2 명령어

  • r2 or radare2 <파일이름> (-d)디버깅모드 // radare2실행
  • afl // 함수들을 보여줌
  • s 함수이름 // 현재 주소를 함수 주소로
  • pd 함수이름 // 현재 주소를 함수주소로
  • pdf @ 함수이름 // 함수로 이동하지않고 함수내부를 보기
  • px 0x20 @ <주솟값> // hexdump, 레지스터계산값도 확인가능
  • ps @ <주솟값> //string보기
  • db <주소> //브레이크걸기, db // 브레이크 걸렸는지 확인
  • dc // 실행
  • dr //레지스터값 보기
  • ? 0x //십진수로 변환
  • doo // 다시실행
  • v // 비주얼모드

1. ls -al 을 확인해보니, check라는 파일이 있고,  권한을 보니 -r-sr-x--- 인것을 보아, s 는 setuid 이다. 저 파일을 실행시키면 저 순간 권한이 leviathan2가 된다는 것을 알 수 있다.

leviathan1@leviathan:~$ ls
check
leviathan1@leviathan:~$ ls -al
total 28
drwxr-xr-x  2 root       root       4096 Aug 26  2019 .
drwxr-xr-x 10 root       root       4096 Aug 26  2019 ..
-rw-r--r--  1 root       root        220 May 15  2017 .bash_logout
-rw-r--r--  1 root       root       3526 May 15  2017 .bashrc
-r-sr-x---  1 leviathan2 leviathan1 7452 Aug 26  2019 check
-rw-r--r--  1 root       root        675 May 15  2017 .profile

 

 

 

2. ./check 로 실행해보니 비밀번호를 달라하고 비밀번호는 leviathan0 , 1 의 비밀번호 모두 아니였다..

leviathan1@leviathan:~$ ./check
password: rioGegei8m
Wrong password, Good Bye ...
leviathan1@leviathan:~$

 

 

 

3.이러면 check가 어떻게 동작하는지를 알고 싶어지니, radare2 를 이용해 check를 살펴보자. r2 check 명령어로 r2를 실행 시킨다.

leviathan1@leviathan:~$ r2 check
 -- What has been executed cannot be unexecuted
[0x08048440]>

 

 

 

4. aaaaa를 이용해 자세히 분석해본다. a는 analysis 의 약자로 갯수가 늘어갈 때마다 더 자세히 분석한다.

[0x08048440]> a
fcns    0
xrefs   0
calls   0
strings 3
symbols 46
imports 8
covrage 64
codesz  2012
percent 3%
[0x08048440]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x08048440]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x08048440]> aaaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Finding function preludes
[x] Enable constraint types analysis for variables
[0x08048440]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Finding function preludes
[x] Enable constraint types analysis for variables
[0x08048440]>

 

 

 

5. afl 명령어를 이용해 함수 리스트를 살펴본다. ( afl : analysis function list)

[0x08048440]> afl
0x08048440    1 33           entry0
0x08048420    1 6            sym.imp.__libc_start_main
0x08048480    4 43           sym.deregister_tm_clones
0x080484b0    4 53           sym.register_tm_clones
0x080484f0    3 30           entry.fini0
0x08048510    4 43   -> 40   entry.init0
0x08048670    1 2            sym.__libc_csu_fini
0x08048470    1 4            sym.__x86.get_pc_thunk.bx
0x08048674    1 20           sym._fini
0x08048610    4 93           sym.__libc_csu_init
0x0804853b    4 201          main
0x08048374    3 35           sym._init
0x08048430    1 6            sym..plt.got
0x080483b0    1 6            sym.imp.strcmp
0x080483c0    1 6            sym.imp.printf
0x080483d0    1 6            sym.imp.getchar
0x080483e0    1 6            sym.imp.geteuid
0x080483f0    1 6            sym.imp.puts
0x08048400    1 6            sym.imp.system
0x08048410    1 6            sym.imp.setreuid
[0x08048440]>

 

 

 

6. pd 의 d 는 디스어셈블이고, pdf는 그중에 함수만 출력된다. @는 at 으로 함수가 뭔지 알려줄때 쓴다.  pdf @main으로 main함수를 살펴보자.

[0x08048440]> pdf @main
/ (fcn) main 201
|   int main (int argc, char **argv, char **envp);
|           ; var int32_t var_20h @ ebp-0x20
|           ; var int32_t var_1ch @ ebp-0x1c
|           ; var int32_t var_1bh @ ebp-0x1b
|           ; var int32_t var_17h @ ebp-0x17
|           ; var int32_t var_13h @ ebp-0x13
|           ; var int32_t var_11h @ ebp-0x11
|           ; var char *s2 @ ebp-0x10
|           ; var char *s1 @ ebp-0xc
|           ; var int32_t var_bh @ ebp-0xb
|           ; var int32_t var_ah @ ebp-0xa
|           ; var int32_t var_9h @ ebp-0x9
|           ; var int32_t var_8h @ ebp-0x8
|           ; arg int32_t arg_4h @ esp+0x4
|           ; DATA XREF from entry0 @ 0x8048457
|           0x0804853b      8d4c2404       lea ecx, [arg_4h]
|           0x0804853f      83e4f0         and esp, 0xfffffff0
|           0x08048542      ff71fc         push dword [ecx - 4]
|           0x08048545      55             push ebp
|           0x08048546      89e5           mov ebp, esp
|           0x08048548      53             push ebx
|           0x08048549      51             push ecx
|           0x0804854a      83ec20         sub esp, 0x20
|           0x0804854d      c745f0736578.  mov dword [s2], 0x786573    ; 'sex'
|           0x08048554      c745e9736563.  mov dword [var_17h], 0x72636573 ; 'secr'
|           0x0804855b      66c745ed6574   mov word [var_13h], 0x7465  ; 'et'
|           0x08048561      c645ef00       mov byte [var_11h], 0
|           0x08048565      c745e5676f64.  mov dword [var_1bh], 0x646f67 ; 'god'
|           0x0804856c      c745e06c6f76.  mov dword [var_20h], 0x65766f6c ; 'love'
|           0x08048573      c645e400       mov byte [var_1ch], 0
|           0x08048577      83ec0c         sub esp, 0xc
|           0x0804857a      6890860408     push str.password:          ; 0x8048690 ; "password: " ; const char *format
|           0x0804857f      e83cfeffff     call sym.imp.printf         ; int printf(const char *format)
|           0x08048584      83c410         add esp, 0x10
|           0x08048587      e844feffff     call sym.imp.getchar        ; int getchar(void)
|           0x0804858c      8845f4         mov byte [s1], al
|           0x0804858f      e83cfeffff     call sym.imp.getchar        ; int getchar(void)
|           0x08048594      8845f5         mov byte [var_bh], al
|           0x08048597      e834feffff     call sym.imp.getchar        ; int getchar(void)
|           0x0804859c      8845f6         mov byte [var_ah], al
|           0x0804859f      c645f700       mov byte [var_9h], 0
|           0x080485a3      83ec08         sub esp, 8
|           0x080485a6      8d45f0         lea eax, [s2]
|           0x080485a9      50             push eax                    ; const char *s2
|           0x080485aa      8d45f4         lea eax, [s1]
|           0x080485ad      50             push eax                    ; const char *s1
|           0x080485ae      e8fdfdffff     call sym.imp.strcmp         ; int strcmp(const char *s1, const char *s2)
|           0x080485b3      83c410         add esp, 0x10
|           0x080485b6      85c0           test eax, eax
|       ,=< 0x080485b8      752b           jne 0x80485e5
|       |   0x080485ba      e821feffff     call sym.imp.geteuid        ; uid_t geteuid(void)
|       |   0x080485bf      89c3           mov ebx, eax
|       |   0x080485c1      e81afeffff     call sym.imp.geteuid        ; uid_t geteuid(void)
|       |   0x080485c6      83ec08         sub esp, 8
|       |   0x080485c9      53             push ebx
|       |   0x080485ca      50             push eax
|       |   0x080485cb      e840feffff     call sym.imp.setreuid
|       |   0x080485d0      83c410         add esp, 0x10
|       |   0x080485d3      83ec0c         sub esp, 0xc
|       |   0x080485d6      689b860408     push str.bin_sh             ; 0x804869b ; "/bin/sh" ; const char *string
|       |   0x080485db      e820feffff     call sym.imp.system         ; int system(const char *string)
|       |   0x080485e0      83c410         add esp, 0x10
|      ,==< 0x080485e3      eb10           jmp 0x80485f5
|      ||   ; CODE XREF from main @ 0x80485b8
|      |`-> 0x080485e5      83ec0c         sub esp, 0xc
|      |    0x080485e8      68a3860408     push str.Wrong_password__Good_Bye_... ; 0x80486a3 ; "Wrong password, Good Bye ..." ; const char *s
|      |    0x080485ed      e8fefdffff     call sym.imp.puts           ; int puts(const char *s)
|      |    0x080485f2      83c410         add esp, 0x10
|      |    ; CODE XREF from main @ 0x80485e3
|      `--> 0x080485f5      b800000000     mov eax, 0
|           0x080485fa      8d65f8         lea esp, [var_8h]
|           0x080485fd      59             pop ecx
|           0x080485fe      5b             pop ebx
|           0x080485ff      5d             pop ebp
|           0x08048600      8d61fc         lea esp, [ecx - 4]
\           0x08048603
  • 여기서 call sym.imp.getchar 라는 함수로 내가 친 비밀번호를 받아들이고 있다.
  • 그 다음 call sym.imp.strcmp 에서 strcmp는 문자열 비교할 때 사용한다. int strcmp(const char *s1, const char *s2) 두개의 문자열을 비교한다고 되어있다. s1 , s2 
  • 근데 s1은 내가 치는 비밀번호고 s2는 여기 저장된 비밀번호 일 것이다.
  •  0x0804854d      c745f0736578.  mov dword [s2], 0x786573    ; 'sex' 여기 보면 s2 가  sex로 되어있다.
  • 따라서, check의 비밀번호는 sex 라는 것을 알 수 있었다.
  • 689b860408     push str.bin_sh             ; 0x804869b ; "/bin/sh" 이걸 보아, 만약, 맞다면, 쉘을 실행 시킨다 되어있다. 이 비밀번호를 맞추면, 쉘을 실행시킬 것이고, 쉘이 실행되면 권한은 leviathan2 로 되어있을 것이다.

 

7. q 를 입력해 빠져 나온뒤, 다시 ./check 를 사용해 password에다가 sex 를 입력해주자.

[0x08048440]> q
r_sys_mkdirp: fail '/home/leviathan1/.cache' of '/home/leviathan1/.cache/radare2'
could not save history into /home/leviathan1/.cache/radare2
leviathan1@leviathan:~$ ./check
password: sex
$

 

 

 

8. id 를 입력해 권한이 leviathan2 인것을 확인 해보자.

$ id
uid=12002(leviathan2) gid=12001(leviathan1) groups=12001(leviathan1)
$

권한이 leviathan2인것을 확인 할 수 있다.

 

 

 

9.  권한도 획득 했으니, cat /etc/leviathan_pass/leviathan2 를 이용해 leviathan2의 비밀번호를 알아내자.

$ cat /etc/leviathan_pass/leviathan2
ougahZi8Ta
$

 

 

 

10. 알아낸 leviathan2의 비밀번호:ougahZi8Ta 로 leviathan2에 접속하면 성공!

--[ Tools ]--

 For your convenience we have installed a few usefull tools which you can find
 in the following locations:

    * pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
    * peda (https://github.com/longld/peda.git) in /usr/local/peda/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)
    * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh

--[ More information ]--

  For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/

  For support, questions or comments, contact us through IRC on
  irc.overthewire.org #wargames.

  Enjoy your stay!

leviathan2@leviathan:~$

 

저작자표시 비영리 변경금지

'Wargame:leviathan' 카테고리의 다른 글

#5 Wargame leviathan5 (Level6 ~ Level7(End))  (0) 2022.07.30
#4 Wargame leviathan4 (Level5 ~ Level6), link 명령어  (0) 2022.07.29
#3 Wargame leviathan3 (Level3 ~ Level5), db,dc,px, ltrace, 아스키코드 변환  (0) 2022.07.28
#2 Wargame leviathan2 (Level2 ~ Level3), radare2,Command injection  (0) 2022.07.27
'Wargame:leviathan' Related Articles more
Comments