Level 2 –> Level 3

ssh leviathan3@leviathan.labs.overthewire.org -p 2223
Password: Ahdiemoo1j

leviathan3@leviathan:~$ ltrace ./level3

__libc_start_main(0x8048618, 1, 0xffffd784, 0x80486d0 <unfinished …>
strcmp(«h0no33», «kakaka») = -1
printf(«Enter the password> «) = 20
fgets(Enter the password> kakaka
«kakaka\n», 256, 0xf7fc55a0) = 0xffffd590
strcmp(«kakaka\n», «snlprintf\n») = -1
puts(«bzzzzzzzzap. WRONG»bzzzzzzzzap. WRONG
)

Observamos que en una segunda ejecución del comando strcmp compara la string que hemos introducido con “snlprintf”.

Probamos con snlprintf:

leviathan3@leviathan:~$ ltrace ./level3

__libc_start_main(0x8048618, 1, 0xffffd784, 0x80486d0 <unfinished …>
strcmp(«h0no33», «kakaka») = -1
printf(«Enter the password> «) = 20
fgets(Enter the password> snlprintf
«snlprintf\n», 256, 0xf7fc55a0) = 0xffffd590
strcmp(«snlprintf\n», «snlprintf\n») = 0
puts(«[You’ve got shell]!»[You’ve got shell]!
) = 20
geteuid() = 12003
geteuid() = 12003
setreuid(12003, 12003) = 0
system(«/bin/sh»$

VOILA!, obtenemos shell :

leviathan3@leviathan:~$ ./level3

Enter the password> snlprintf
[You’ve got shell]!

$ whoami
leviathan4

$ cat /etc/leviathan_pass/leviathan4
vuH0coox6m