Exploring Leviathan CTF - OverTheWire
Leviathan
Leviathan is a CTF hosted on overthewire.org that will test your knowledge of and familiarity with Linux. It’s a good starting point if you are looking to learn more about reverse engineering and Linux, and you will also get an idea of how CTFs/wargames work.
There are a total of 7 levels in Leviathan, each with increased difficulty, and you will learn something new with each level.
The developers of this wargame have discouraged people from publishing walkthroughs and tutorials, so I will be writing about what you will learn from each level and dropping tiny hints to help you. To get 100% benefits from this wargame, you should not read any walkthroughs or tutorials. Instead, try on your own, fail multiple times, and learn how to approach a challenge.
Level 0
To log in to level0, you can login into the SSH service hosted on port 2223 at leviathan.labs.overthewire.org. You can use the following command:
ssh -p 2223 leviathan0@leviathan.labs.overthewire.org and the password leviathan0.
To log in to level X, you can change the username from leviathan0 to leviathanX.
Passwords for all the levels are present in the directory /etc/leviathan_pass/, but are only readable by subsequent users. Example, The leviathan0 user cannot read the password of leviathan1. 
In this level, you will learn about hidden directories and files in Linux. You can use grep command to search for interesting strings in a large file.
Level 1
In this level, you will find an ELF binary in your HOME directory. This is a 32-bit ELF binary with setuid permissions.
From now on, you will find a setuid binary in almost every level of Leviathan.
So, what is a setuid binary? When you issue the ls -l command, you will see the owner permission (first 3 characters) as r-s. Generally, it is set to r-x, which means the owner of this file can read and execute it. In this case, x is replaced with s, meaning this is a setuid binary.
In simplest terms, any user who has permission to execute a setuid binary will temporarily have the privileges of the file’s owner. For example, even though we’re logged in as leviathan0, executing this file will give us the permissions of leviathan1, the owner of the binary. This is important because we need leviathan1’s permissions to read our password file located at /etc/leviathan_pass/leviathan1.
But there’s a catch: this binary might or might not have the programming logic to read the file /etc/leviathan_pass/leviathan1. Even if it does, that logic might not be easily accessible. To solve this challenge, we need to find a vulnerability in the binary and exploit it to make the binary read the password file for us.
This will be the case in every level of this challenge. There will be some challenge or vulnerability in a setuid binary that we must exploit in order to read the password file. By using this password, we can log in to the next level.
You can use a program like gdb to read the disassembly of this binary and understand the programming logic, or you can take a simpler approach by using ltrace to execute the binary and see which library calls are being made. This will give you a decent idea of the binary’s behavior.
Both methods will help you understand the programming logic behind the check binary, and then you can bypass the weak logic to either spawn a setuid shell or read the password file.
A good approach would be to read the manual or summary of all the library calls shown above, understand what arguments are needed to invoke them, and what the possible return values are.
Level 2
Leviathan2 have a similar setuid binary with filename printfile.
In this level you will learn about command line arguments, how this arguments are read by a binary. This challenge will also focus on how unsanitized user input could lead to unintended behavior of code. You will learn about how files with spaces in their name could be handled differently by programs.
Level 3
This level was simple, but a complicated approach can make it worse. Personally, I spent a lot of time on this level and later found out I was overthinking and couldn’t see the clear hint inside the binary to bypass it. This level is almost similar to level 1, but not exactly the same.
The binary file level3 takes input from stdin, and somehow it got stuck in my mind to exploit a buffer overflow vulnerability, which, sadly, does not exist in this file.
My approach was to utilize 0x100 bytes, which fgets was reading from stdin, and try to overwrite the return address that was pushed when do_stuff() was called from the main() function. But due to the size limit on the stdin buffer, I could not overwrite the return address, and I could not buffer overflow this binary.
If you find a solution by exploiting a buffer overflow vulnerability, do let me know. 😊 Instead, there is a simple solution to this level.
Level 4
In this level, you can revisit the knowledge gained from the previous levels and find a solution quickly. You will also need to revisit your knowledge of bits and encodings, which are also fundamentals of computer science.
Level 5
Level 5 will teach you about Linux files. There is a way to create a shortcut for a file in Linux, similar to how it’s done in Windows, which could be helpful to pass this level. There could be multiple approaches to solve a challenge—think outside the box, and you will find one.
Level 6
In this level, you have to find the correct 4-digit password, which will be passed as a command-line argument to the setuid binary leviathan6. You can use two approaches here: one is to brute-force all combinations of the 4-digit password and try them. Obviously, you should not do this manually—write a script in bash or python to generate the list and execute the binary to find the correct password.
If you want to be less noisy, you can go with second approach and read the disassembly of the main function to find out what the actual password is to solve this challenge.
Level 7
Thats it, you are here. You have become Leviathan certified Linux user 😉
Try solving more CTF challenges on your own to boost your knowledge in an interesting way.