OverTheWire: Bandit Level 25 → Level 26


Level Goal

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

Commands you may need to solve this level

ssh, cat, more, vi, ls, id, pwd

> whatis ssh
ssh (1) - OpenSSH remote login client
> whatis cat
cat (1) - concatenate files and print on the standard output
> whatis more
more (1) - file perusal filter for crt viewing
> whatis vi
vi (1) - Vi IMproved, a programmer's text editor
> whatis ls
ls (1) - list directory contents
> whatis id
id (1) - print real and effective user and group IDs
> whatis pwd
pwd (1) - print name of current/working directory

Note : Not all commands are required to complete the level

Helpful Reading Material


Lets view if there are any files in our current working directory.

bandit25@bandit:~$ ls

We see that we have the SSH key for bandit26 lets use SSH and login into the next level.

Note : We are connecting to “localhost” because bandit26 also exist on the same device as bandit25 and to connect to the same device that we are already on we use hostname as localhost. There was no need to specify the port because similar to hostname we are trying to connect to the same device and the device is already aware of the port on which SSH is running.

On looking at the output it looks like we did connect to bandit26 but we where logged out immediately. In the question we have been told that the default shell for bandit26 is not “/bin/bash” so lets find out what shell is being used.

The “/etc/passwd” file consist of information regarding the users on the device along with the shell that is being used by each user.

cat /etc/passwd

We see that an shell called “/usr/bin/showtext” is being used by bandit26. Lets have an look at the content of this “showtext” shell to see what we are dealing with.

Looking at the content we see that the shell is an shell script that is using the “more” command and outputting the contents of the text.txt file and then terminating. From what we saw before its safe to assume that the banner with the text bandit26 is the content that is saved in this file.

Looking at this script we can understand that the reason that we where getting logged out is the line “exit 0” which is executed as soon as all the text from the text.txt file is displayed. So we need to find an way by which we do not exit out of the more utility.

From my previous experience with the “more” command I know that if the amount of content that needs to be displayed on the terminal is more that the size of the terminal the more tool goes into interactive mode the command does not quit till we don't view all the contents in the file or we don't exit manually the program.

There is an example where I tried to view the content of the .bashrc file using more command.

more .bashrc

Notice how the entire content is not shown in the terminal like with the “cat” command. The more utility is waiting for us to scroll through the content and reach the end at which point the command is finishes this execution.

In our case since the text the needs to be printed to the terminal is less than the size of the terminal the more command finishes execution and proceeds to the next command in the shell script.

We need to open more in the interactive mode so lets make the size of our terminal very small and then try to login as bandit26. If our understanding of what is happening is current this time we should not get logged out and we should be in interactive mode of more.

ssh bandit26@localhost -i bandit26.sshkey

As expected we are in more and since the content could not fit in our terminal more has entered interactive mode. Now the next step for us is to some how spawn a “/bin/bash” shell.

If we look at the man pages of more we see that by pressing the “v” key while in interactive mode it will open the current line in an editor that is defined by the VISUAL and EDITOR environment variables. If both the variables are not set then Vim will be used. Lets see on pressing “v” which editor we get.

Looking at the output looks like it opened the vim editor. This is great anyone who has used vim knows that vim has an command mode which has the ability to execute system commands. By performing a quick google search we can gather that using the “set shell” command we can change the shell a user and by invoking “shell” the user should be loaded into the specified shell. The “:” operator is used to enter command mode in vim.

Note : Once this command is entered we will be put in insert mode so press “Esc” to exit inset mode and enter the next command.

And as we will see we have launched the bash shell and are logged in as banddit26. Lets capture the password for banddit26 so that we can use it later if required.

Note 1 : It is recommended to complete the next level right after this as you are already logged in as bandit26 plus if logout now then you will have to repeat the same steps as above to login once more into bandit26.

Note 2 : If logging out remember that you have to logout twice once from bandit26 and then from bandit25. When trying to return back to bandit25 you will end up in vim in insert mode use Esc to quit insert mode and type :q to quit vim now more should open up press q again to exit more as well.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

My First MEAN Web App Part 2: Docker — Containing it all!


A Refactoring Guide for Ruby on Rails

Before and after refactoring (chimney). Ref.: https://static.wixstatic.com/media/222c5c_c5c48d7d2ae54f08931baa6a8932f7a8~mv2_

Rise of the finite-state machines

Polkascan Development Update #7

SHE QC ideation, a story grooming technique

My Flatiron Project Showcase (part 2)

Meta Mansions Update Summary

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
David Varghese

David Varghese

More from Medium

A Containerized RESTCONF-NETCONF App ☁

Backup/Save your servers…(Part 1)

Using CNCF Harbor to locate Log4Shell CVE (Part 1)

5 everyday security practices you need to get right