OverTheWire’s Bandit 25 -> 26 Shell
Link: http://overthewire.org/wargames/bandit/bandit27.html
So it might seem a bit random that I’ve decided to do an OverTheWire Bandit writeup, particularly because I’m starting the writeup at level 25, but there is some context behind it.
I remember first trying to do the Bandit challenges a couple of years ago and, not knowing how to SSH into a machine, I gave up after about two hours of trying. In my defence, my Windows 7 computer at the time couldn’t have done it without installing Putty and I didn’t know what Linux was.
I tried again after about a year and followed a lot of tutorials to get most of the way through it, however I wasn’t very familiar with the command line at the time.
This week, I decided to have a look at the set of challenges again, now feeling a lot more confident in Linux. It was great to see the progression I’d made, but I still had to Google some hints for a few of them (level 25 is one of those). But what I noticed was that levels 26 onwards were new, I don’t know when they added them in but I didn’t remember them at all.
For this reason I thought I would put up my own writeups of these new challenges as I couldn’t see many writeups for them online.
I am starting with the old 25->26 level because while the difference between getting the level 26 password and getting the level 26 shell is only a few lines, a Google search showed that there aren’t many writeups which cover it (likely because you didn’t need a shell on it when 26 was the last level).
For those who did the original challenges years ago and want to follow along from 25, I will post the level 25 password below, if you haven’t done the rest before though then I recommend doing them, they’re worth your time.
bandit25:uNG9O58gUE7snukf3bvZ0rxhtnjzSGzGEnough talking, let’s get started.
The challenge description is shown on the site:
Firstly we’ll ssh into the server and have a look in the home directory:
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$So there’s a key here, this must be what they’re referring to when they say that connecting to bandit26 “should be” easy. Let’s try ssh’ing into bandit26 and see what happens.
bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
Well it kicks us straight back out, guess it’s not that easy. The challenge mentions that the shell for bandit26 isn’t bash, so let’s see what it has instead.
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$/usr/bin/showtext? Definitely doesn’t seem standard. We’ll have a look inside it (it’s a bash script so I’m just going to use cat).
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/shexport TERM=linuxmore ~/text.txt
exit 0
bandit25@bandit:~$
So it calls more on a file in its home directory then exits, pretty limited. I’ll be honest that I didn’t come up with the solution myself and needed some external help (OK Google, how do you solve Bandit level 25?), but it’s a pretty random way to solve the challenge so good work to those of you who could think that far outside the box.
What we need to do is to trigger more to go into its command view so that the program doesn’t just exit. In other words, make your terminal as small as possible then ssh in.
Yep, that’s the way to break out. Very out of the box to get out of the box.
So now we’ve got more working, what can we do with it? Well in more you have a few commands, one of them letting us open the file in vim. All we have to do is press v on the keyboard. (If you want more information check the man page)
I now have vim running on the file. I’ve also rescaled my windows so that I can actually see.
Here’s where my writeup will deviate from what you normally find online. I will first show how to get the password for level26, then I will show you how to get a shell. Most people seem to just get the password, however if you ssh in with the password you will still get kicked back out again so you won’t be able to get to level 27.
So now we have vim, we can open another file using the :e command. We will want the bandit26 password so this is the command we will use:
:e /etc/bandit_pass/bandit26If you’re unfamiliar with vim, make sure you press escape to enter command mode (it’s in there automatically but if you pressed any other keys you may need to change back to it).
Ok so the password is 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z, but we haven’t got a shell and ssh’ing in with it will still just leave us in that showtext script from earlier. So how can we get to a shell from vim? Well from looking up vim in Google, vim has a shell command. So if we type :shell then it should return us into a shell, seems pretty easy.
What? It just put us back into more. Well that’s not that helpful we’ve just done a full loop. Why would vim put us into more when we asked for a shell? Pretty much, vim knows that the shell for bandit26 is the showtext file and it stores this in a variable called shell. So if we want to break out we need to change this variable first. So we get back into vim and use the following command to set that value
:set shell=/bin/bashAfter that we can now tell vim to start a shell with :shell and…
We’ve got a shell!
Once again, I’ve basically uploaded this as a prerequisite to the newer Bandit challenges. My level 26 -> level 27 writeup will assume that you’re in this shell already.
