Smash The Stack Logic Level 1 * Spoiler * Part b

Dan O'Connor — Thu, 26 Apr 2012 02:19:59 +0000

A couple more things to mention, just running the basic commands from the web page will only give you a single line of output. You could just guess which is what I did or if you really need to see the output of the commands I would redirect them to the upload directory and from there you can view them. The other thing you could have done is uploaded nc directly to the server ( I did not try this, I did not want to break anything) and execute it in to a listening loop against /bin/sh, insta shell. Or you could do the same thing by creating a service.

Smash The Stack Logic Level 1 * Spoiler *

Dan O'Connor — Thu, 19 Apr 2012 04:40:59 +0000

I had a bit of time so I thought I would take a look at Level 1 on Logic.

Not much of an introduction.. http://logic.smashthestack.org:88/

We don’t have shell access and only have the link to the uploader. If you submit a file the next page is PHP, so we know the site is PHP enabled.

First thing I tried was a basic hello php script, just to see what would happen.

Ta-da it worked, we got a hello back.

Next I tossed some ‘ls’ commands at various directories to see what was going on.

Not much stands out, just the README file left in the level1 home directory.

Congrats on getting to the shell. Now you must find the password for level2.
Once you have found the password you can reconnect to the server as the level2 user:
ssh -p 2227 logic.smashthestack.org -l level2
You need not look far from home

So now what? lets take another look at the home directory with a ‘ls -alh’.

There is one more file to look at, a .bash_history.

ls
who
cat README
ach3sa6F
clear
su level2

Yay for fat fingers, there is the password.

Irregular Expressions » smashthestack logic level 1

Smash The Stack Logic Level 1 * Spoiler * Part b

Smash The Stack Logic Level 1 * Spoiler *