Level25

Level Goal

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

Solution

Looking in bandit25’s home directory we see the private key for the bandit26 user, but the level goal tells us that the login shell for bandit26 is not a bash shell. To find out the shell that is set for bandit26 we can look in the /etc/passwd file.

root@0xCAB: /writeups/overthewire/bandit/level25/

$ grep bandit26 /etc/passwd
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

$

We can see that “/usr/bin/showtext” is set as the shell for bandit26. Looking at that file we see the following:

#!/bin/sh

export TERM=linux

exec more ~/text.txt
exit 0

So we can see that it is displaying the contents of the /home/bandit26/text.txt file using the more pager. As stated in the man page, more has a command mode based on vi. This could help us out, but more is able to print all of the files contents onto the screen and exit which then goes to the next line of the showtext script (exit 0) which ends the scripts execution and the shell closes. The contents of text.txt are displayed after the normal SSH banner when logging in as bandit26, which are:

 _                     _ _ _   ___   __
| |                   | (_) | |__ \ / /
| |__   __ _ _ __   __| |_| |_   ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/

This is six lines in hieght, so if we make our terminal six lines high or smaller we will stay in the paging mode of more and can use it’s command mode. Doing so we see the following:

 _                     _ _ _   ___   __
| |                   | (_) | |__ \ / /
| |__   __ _ _ __   __| |_| |_   ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
--More--(83%)

As seen in the man page, we can use the command “v” to start up an editor at the current line. It defualts to vi as the editor if a different one is not set in either the VISUAL or EDITOR environment variables. After hitting “v” we see that we are in fact dropped into a vi session. With vi/vim, you can use the command “:e ” to open “some-file” for editing. If we use the command “:e /etc/bandit_pass/bandit26” we will open that file in our vi session which contains the bandit26 password: c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1.