OverTheWire Leviathan Level 3 → 4 tutorial!!

Login

Log in as leviathan3 using the password from Level 2 → 3.

ssh leviathan3@leviathan.labs.overthewire.org -p 2223
# password: f0n8h2iWLP

Why? Each Leviathan level is a different UNIX user. To solve 3 → 4, you must be leviathan3.

Task

There’s a SUID binary named level3 in the home directory. Find the password for leviathan4.

A little bit of Theory

• SUID binaries run with the owner’s privileges (here: leviathan4).
• ltrace shows library calls and their arguments (e.g., strcmp), which often leaks the expected password.
• Many “password checkers” simply do strcmp(user_input, "secret").

Further reading:

• ltrace — Linux man page
• setuid — Wikipedia
• strcmp(3) manual

Solution

1. List files and spot SUID binary

   ls -la
   

   Why? We confirm level3 is owned by leviathan4 and has the SUID bit.

   

2. Run it once to see behavior

   ./level3
   # Enter anything, e.g. Ahdiemoo1j
   

   Why? Baseline: it prompts for a password and prints “WRONG”.

   

3. Trace with ltrace to leak the real string

   ltrace ./level3
   # when prompted, type: test
   

   Why? The trace shows strcmp("test\n", "snlprintf\n") → expected password is snlprintf.

   

4. Use the discovered password to get a subshell

   ./level3
   Enter the password> snlprintf
   $ whoami
   leviathan4
   

   Why? SUID program spawns a shell running as leviathan4.

   

5. Read the real password from /etc/leviathan_pass

   cat /etc/leviathan_pass/leviathan4
   

   Why? All level credentials live here.

   

Password

WG1egElCvO

Troubleshooting

• ltrace shows no strcmp? Make sure you’re tracing ./level3 (not through a shell wrapper).
• Typed snlprintf but still “WRONG”? Remember fgets includes the newline automatically when you press Enter — you just type snlprintf then hit Enter.
• No subshell prompt ($) after success? Try whoami anyway; some shells don’t change the prompt string.

Copy-paste quick run

ssh leviathan3@leviathan.labs.overthewire.org -p 2223
# password: f0n8h2iWLP

ls -la                    # see SUID ./level3
ltrace ./level3           # strcmp(..., "snlprintf\n")

./level3                  # enter: snlprintf
whoami                    # → leviathan4
cat /etc/leviathan_pass/leviathan4
# → WG1egElCvO

Congrats 🎉 You used ltrace to catch a lazy strcmp password check and escalated via SUID. On to leviathan4!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨