Level26Level GoalGood job getting a shell! Now hurry and grab the password for bandit27!SolutionContinuing from where we left off in the last level, if we run “:help shell” from inside the vi session we will see the following:... :sh[ell] This command starts a shell. When the shell exits (after the "exit" command) you return to Vim. The name for the shell command comes from 'shell' option. E360 :!{cmd} Execute {cmd} with the shell. See also the 'shell' and 'shelltype' option. ...Let’s check out the shell option by running “:options”. Search for “shell” inside of the options pane. To search in vi/vim, from normal mode do a “/” followed by the search term; use “n” to go to the next instance of the term and “p” to go to the previous. We see the following when searching for “shell”:shell name of the shell program used for external commands set sh=/usr/bin/showtextLet’s set the shell to one that is useful to us. From normal mode enter a “:” to enter command mode and then enter “set shell=/bin/bash”. We can now run shell commands from inside vi. From command mode (which again you enter by typing “:” from normal mode) you can type “!” follwed by a command to execute it in a shell (eg !ls to get the directory listing). To make things easier, if we enter “!/bin/bash” we will be dropped into a bash shell so we can work directly from there. We can see that in bandit26’s home directory there is a bandit27-do executable. It tells us that we can run a command as another user, and if we run the “whoami” command we see that we are in fact executing the commands as bandit27. So, we can use that executable to get the contents of the /etc/bandit_pass/bandit27 file.root@0xCAB: /writeups/overthewire/bandit/level26/$ ls^1000 `bandit27-do text.txt`$ ./bandit27-do^1000 `Run a command as another user.`` Example: ./bandit27-do id`$ ./bandit27-do whoami^1000 `bandit27`$ ./bandit27-do cat /etc/bandit_pass/bandit27^1000 `YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS`$