 What is going on everybody welcome back to the YouTube video? My name is John Hammond, and we are still in the Leviathan war game from over the wire We just got the password for level 2 so now we can use our SSH pass command passing the password Just some command substitution using the most recent and most normal Sentax for command substitution dollar sign parentheses making sure we're using the right user and the right port now 2223 so once we connect We got our home directory, and there's a file called here in here called print file, so let's run this Print file looks like it's a binary that will file printer Maybe just print out a file or you're showed on the screen, so give it a file name How about it set your password because we know that that file exists all the time, okay? And it just cats it out for it. It just it just prints it out Can we use this to print out the password for the next level? for a little Leviathan level 3 if you can see it was displayed in red here And that's kind of a symbol with LS colors to say that this is a set UID binary that s here in the permissions is Saying that this level this file is owned by Leviathan level 3 or the user for Leviathan 3 when we are only Leviathan 2 So running this binary lets us borrow the temporary Privileges and permissions that Leviathan 3 has so everything that this binary can do Let's us elevate to Leviathan 3 so we got to exploit the program or figure out a way that we can take advantage of it and Get the password for the next user to get the password for Leviathan 3 so we ran L trace in the previous video Let's do that again now, but I do want to see What will happen if we can't read a file because will it let us just read the Leviathan Password by 3 it says I can't have that file. Okay, whatever Let's move on I suppose How was it? How does it figure out that I don't have permission that when clearly Leviathan 3 has permission to read that file? Let's check out what it's doing with L trace again I'm just using L trace the very start of the command and using the dot slash So I execute the binary and let L trace and monitor what it's doing. So it runs access a Library function that will check what kind of permissions does this user have on the File that has passed to it looks like it just used the Leviathan pass Leviathan 3 file name that I gave it and It realized I didn't have permission to read it. So it aired out, but it had no problem reading. It's that repass word So what happened here? Scroll up here let this kind of read through So this is where we left off. We didn't we weren't able to read that one, but When I ran Leviathan 2 L trace print file with it's at repassword It ran that same access function check that I can read that file and then it ran print F or SN print F So, okay, it's copying Some string to some buffer here, and I guess it's just using Okay print F for the format specifier so the percent S it copies in the file that I gave it that argument that we passed It's that repassword it to The string binary cat or some bin cat just running the cat command and finally we're ending up with the string Bin cat it's at repassword, but all it's doing is just putting our argument right In a system command. It looks like it just runs this and executes this command down here And here is where we're running the get effective user ID get effective user ID and setting our effective user ID so this section only after we've determined without we can access the file Is where we are going to determine if we can read the file for you or let the program print it out for you So we won't be able to elevate our privileges to be Leviathan 3 until we can get a file that we access so weird um, but Maybe there's some command injection we can do here because our string It's just getting through if we have a file we can access And it's passing it right to system so we can maybe have a command execution in this Let's try something um, i'm going to Make a temporary directory with make temp deck d so we have a home to work in I will copy this So now we can create a file Um, I'll just call this i'm gonna use touch to just name it i'm gonna call it fake and we want to Try and execute another command following this so normally you could do that with a colon or a semicolon bash So let's do that same thing and treat that as the file name so that The program when it tries to run bin cat on fake bash We will give the program fake bash as if it's a file name But the program will evaluate this string as executing the cat Command with fake as the argument and then evaluate the rest of this command to run bash as another separate commander process So kind of a little bit of a hack kind of a little bit of a a tweet there. Let's try that. Um, Make this file Now if I just run touch fake semicolon bash like this, there'll be an issue, right? We can see we've created the fake command But i'm just running bash in a new shell if I were to exit out of this I won't exit my connection because I was in another bash Internal shell just just then we wanted to create that file fake bash With quotes around it or a single quote So that bash will interpret this literally and it won't evaluate the semicolon and next command to literally mean a new command We want to run. We just want a file name with that peculiar name. So now when I run this You can see fake semicolon bash Now we can run print file with our string fake bash So it will access the file. Oh, it's not letting me do that Oh Let's see it did kind of work. I mean it did work, right? We're leviathan 3 right now But it tried to run cat on the fake file Because again when we saw bin cat evaluate it ran it's for the file name fake Because the semicolon preceded that and it looked like its own command, but we don't have a file name fake So we ended up just running bash and now we are Leviathan level 3 You can see that in who am I so I can just go ahead and cat out. Nope not in band anymore cat out leviathan pass Leviathan 3 and we've got the password cool cool neat hack Exiting the shells because we were in a new one, right? Let's put this in leviathan 3 And I think that's all I want to do for this video It's getting a little bit long. So thank you guys for watching. Hope you enjoyed this um, and Please uh, if you had another idea or some other solution for solving some of the stuff I am not the best source, you know, I say that uh with a complete disclaimer and complete warning and notice Uh, yeah, I don't know all the answers So hey if you've got some other alternative or better solution Please share them in the comments like the video share it do whatever you got to do and uh, I'm grateful for it So thank you guys for watching. See you the next video