Back to list
CTFVery Easy

OverTheWire Leviathan Walkthrough: All 8 Levels (0 to 7) Step by Step

ducky
2026-05-21
1 views
4 min read

OverTheWire Leviathan Walkthrough: All 8 Levels (0 to 7) Step by Step

Leviathan is a great follow-up to Bandit. It keeps things beginner-friendly but introduces small programs you have to inspect and exploit — your first real taste of looking inside binaries with tools like ltrace. There are 8 levels (0 to 7).

Passwords reset over time, so this guide shows the method and commands rather than the passwords. Run the commands yourself to get the current one.

Connect with SSH:

Replace X with the level number. The username and password are the same at level 0 (leviathan0 / leviathan0). Each level's password is also stored on the server at /etc/leviathan_pass/leviathanX — once you become the next user, you can read it there.

Level 0 → 1 — A Hidden Backup Folder

Goal: Find the password hidden in your home directory.

There's a hidden folder called .backup. Inside is a bookmarks.html file containing the next password.

Why it works: Hidden files (starting with .) don't show with a plain ls. The -a flag reveals them, and grep pulls out the line containing the password.

Level 1 → 2 — Inspecting a Binary with ltrace

Goal: Defeat a password-checking program called check.

Running ./check asks for a password. Instead of guessing, watch what it does internally with ltrace, which shows the library calls a program makes.

You'll see it compares your input to the word sex. Now run it for real:

Why it works: ltrace exposes the strcmp() call that reveals the secret word. Entering it drops you into a shell running as leviathan2, so you can read its password.

Level 2 → 3 — Symlink + Filename Trick

Goal: Abuse a setuid program printfile that prints a file using /bin/cat.

The program first checks if you can read the file, then runs cat on it. The flaw: a filename with a space is split into two arguments by the shell. We make the first part a file we own (passes the check) and the second part a symlink to the real password.

Why it works: The access check sees one readable file "abc def", but cat receives two arguments — abc and def. The def symlink points to the password file, so its contents get printed.

Level 3 → 4 — ltrace Again

Goal: Beat another password-checking binary, level3.

Same approach as Level 1 — let ltrace reveal the secret word.

The magic word is snlprintf. Run it properly:

Why it works: Just like Level 1, the hardcoded comparison string is visible in the strcmp() trace.

Level 4 → 5 — Decoding Binary Output

Goal: Read a program that prints the password in binary (1s and 0s).

There's a hidden .trash folder with a program that outputs binary. Pipe it through a quick converter to turn it into text.

Why it works: pack "B*" groups the bits into bytes and converts them to ASCII characters — revealing the password.

Tip: list the folder with ls -la .trash first to confirm the exact binary name, then run it and pipe the output to the Perl one-liner.

Level 5 → 6 — Symlink a Log File

Goal: Exploit a setuid program leviathan5 that reads and prints /tmp/file.log.

Since the program always reads that fixed path, just point it at the password file with a symlink.

Why it works: The program runs with elevated privileges and blindly prints /tmp/file.log. By making that path a symlink to the password file, it prints the password for us.

Level 6 → 7 — Brute-Force a PIN

Goal: Crack a setuid program leviathan6 that wants a 4-digit code (0000–9999).

The range is tiny, so just try every code. When the correct one is entered, the program gives you a shell as leviathan7.

When the right PIN hits, you'll land in a new shell. From there:

Why it works: A 4-digit code only has 10,000 possibilities — trivial to brute-force. (You can also use ltrace ~/leviathan6 1234 to try to spot the comparison directly.)

Level 7 — The End

Goal: Collect your reward.

🎉 You've completed Leviathan! This level just confirms you've finished all 8.

Commands & Tricks Recap

SkillWhere you used it
ls -la (find hidden files)Levels 0, 4
grep (search inside files)Level 0
ltrace (inspect a binary's calls)Levels 1, 3, 6
Symlink + filename tricksLevels 2, 5
Binary → text decodingLevel 4
Brute-forcing a small keyspaceLevel 6

Quick Tips

  • Always ls -la first — hidden files and backup folders are common hiding spots.
  • ltrace and strace are your best friends for understanding what an unknown binary does.
  • Work inside /tmp (e.g. /tmp/yourname) when creating files or symlinks, since your home directory may not be writable.
  • If a symlink already exists, use ln -sf to force-overwrite it.

For educational use only. OverTheWire wargames are built for safe, legal, hands-on learning.

Tags

#OverTheWire#Leviathan#Leviathan 0#Leviathan 1#Leviathan 2#Leviathan 3#Leviathan 4#Leviathan 5#Leviathan 6#Leviathan 7#Leviathan 8#Leviathan 0-8#Leviathan 0 to 8#Linux#CTF#Cybersecurity#ltrace#Binary Exploitation#SSH#Wargames#Ethical Hacking#Command Line#InfoSec for Beginners

Keep Reading

Related writeups

CTFEasy

OverTheWire Krypton Walkthrough: Levels 0 to 7 (Cryptography Step by Step)

A clear, step-by-step OverTheWire Krypton walkthrough covering levels 0 to 7 — from base64 and Caesar ciphers to Vigenère and stream ciphers, explained for beginners.

#OverTheWire#Krypton#Krypton 0
2026-05-21
ducky
1
5m
CTFEasy

OverTheWire Bandit Walkthrough: Levels 20 to 34 (Final Quick Guide)

A short, simple OverTheWire Bandit walkthrough for levels 20 to 34 — just the commands you need to finish the game.

#OverTheWire#Bandit#Linux
2026-05-20
ducky
6
2m
CTFVery Easy

OverTheWire Bandit Walkthrough: Levels 10 to 20 (Quick Guide)

A short, simple OverTheWire Bandit walkthrough for levels 10 to 20 — just the commands you need to reach Level 20.

#OverTheWire#bendit#linux
2026-05-20
ducky
4
2m