Part time CTF Player learn every day!!
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠
OverTheWire Behemoth Level 0 → 1 tutorial!!
Published on 29 Aug 2023
Login
ssh behemoth0@behemoth.labs.overthewire.org -p 2221
# password: behemoth0
Why? Each Behemoth level is a separate UNIX user. To solve 0 → 1, you must log in as
behemoth0.
Task
There is a binary called /behemoth/behemoth0.
It asks for a password and if correct, escalates you to behemoth1 (via setuid).
Our mission: discover the correct password.
A little bit of Theory
ltraceshows dynamic library calls invoked by the binary (e.g.strcmp,scanf,puts). Perfect for spotting hidden string comparisons.- Hardcoded checks often use
strcmp(user_input, "secret"). Withltraceyou can directly see the string. - If
ltraceis not installed,stringscan also reveal embedded plaintext passwords.
Further reading:
Solution
-
Run the binary normally
cd /behemoth ./behemoth0 Password: test Access denied..→ It clearly expects a special password.
-
Trace with
ltraceltrace ./behemoth0Simplified output:
printf("Password: ") __isoc99_scanf(...) strcmp("test", "eatmyshorts") = -1 puts("Access denied..")👉 The password check is comparing against
eatmyshorts. -
Use the discovered password
./behemoth0 Password: eatmyshorts Access granted.. whoami # behemoth1✅ We are now running as
behemoth1. -
Grab the password for next level
cat /etc/behemoth_pass/behemoth1Output:
aesebootiv
Password
aesebootiv
Troubleshooting
ltrace: command not found→ fallback:strings /behemoth/behemoth0 | grep -i short.- No strcmp output → enter dummy input to trigger comparison.
- Still “Access denied” → check for typos (must be exact match).
- Permission denied reading file → confirm
whoami=behemoth1.
Copy-paste quick run
cd /behemoth && ltrace ./behemoth0
# → reveals password "eatmyshorts"
echo eatmyshorts | ./behemoth0
whoami
cat /etc/behemoth_pass/behemoth1
Congrats 🎉 You successfully leaked the hardcoded password using ltrace, escalated to behemoth1, and grabbed the next password!
Thanks for reading!
Until next time — Otsumachi!! 💖☄️✨
all tags
GOT-overwrite aboutme aead ai alphanumeric-shellcode apt argc0 argon2 aslr assembly asymmetric atoi automation backbox bandit base64 bash beginner behemoth binary binary-exploitation binary-to-ascii blackarch blind blind-sqli blogging blue-team bruteforce buffer-overflow buffer-overwrite c caesar canary capabilities checksec command-injection commonmark cookie cron crypto cryptography ctf cutter cyberchef cybersecurity defenders detection dev directory-traversal dnf docs drifter ecc education elf env envp exploitation finale forensics format-string formulaone frequency frequency-analysis gcc gdb getchar gfm ghidra github-pages governance gpg guide hashing hkdf http jekyll jmpbuf kali kasiski kdf kernel keylength kramdown krypton lab ld_preload leviathan lfi lfsr linux linux-syscall llmops log-poisoning ltrace manpage markdown maze memcpy mitigations mitmproxy mlops narnia natas networking newline-injection nonce nop-sled nx object-injection obsidian openssl osint overflow overthewire package-manager pacman parrot path path-hijacking pathname php pie pkc pki pointer-trick pqc priv-esc privilege-escalation provable-security pwn pwntools pyshark python race-condition radare2 rag randomness recon red-team redirect relro requests ret2env ret2libc reverse-engineering reversing ricing roadmap rop rot13 rsa scapy security seed seo serialization session setjmp-longjmp setuid shell shellcode smoke soc sockets sprintf sql-injection srop stack-canary stack-overflow strace strcmp strcpy streamcipher strings strncpy strtoul substitution suid suisei symlink symmetric terminal test threat-intel time-based tls troubleshooting tshark type-juggling ubuntu udp utumno vigenere virtualbox virtualization vmware vortex walkthrough web windows wireshark writing wsl x86