Skip to main content

Bandit Level 25 → 26

Shubham
Cybersecurity Enthusiast

Login: ssh bandit25@bandit.labs.overthewire.org -p 2220
Password: iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

task

Logging in to bandit26 from bandit25 should be quite easy. The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works, and how to break out of it.

theory lil bit

  1. SSH Key Permissions: SSH is very strict about security. If a private key file (.sshkey) is readable by other users, SSH will reject it to prevent abuse. You must set permissions to 700 or 600.
  2. Custom Login Shells: The /etc/passwd file defines what program runs when a user logs in. It doesn't have to be a standard shell like /bin/bash; it can be any executable script. If that script exits, your SSH session ends.
  3. Escaping Pagers (more): When a program like more (a pager) outputs text that is larger than your terminal window, it pauses. While paused, you can use built-in commands. Pressing v tells more to open the current file in the vim text editor.
  4. Vim Shell Escaping: vim has the ability to run system commands or spawn a new shell. By changing vim's internal shell setting (:set shell=/bin/bash) and then calling it (:shell), you can break out of a restricted environment and get a fully functional terminal.

my approach / solution

1. Finding and Fixing the SSH Key: I logged in and found bandit26.sshkey right in the home directory. I tried to use it to SSH into bandit26, but SSH yelled at me about bad permissions:

WARNING: UNPROTECTED PRIVATE KEY FILE! Permissions 0755 for 'bandit26.sshkey' are too open.

I fixed this by restricting the permissions so only my user could read it: bandit25@bandit:~$ chmod 700 bandit26.sshkey

2. The Disappearing Shell Problem: When I tried to SSH after fixing the key, the server displayed an OverTheWire banner and then immediately kicked me out. I needed to figure out what was happening upon login.

I checked the /etc/passwd file for bandit26 to see what shell it was using: bandit25@bandit:~$ cat /etc/passwd | grep bandit26 bandit2611026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

Instead of /bin/bash, it was running a custom script called /usr/bin/showtext. I checked the contents of that script: bandit25@bandit:~$ cat /usr/bin/showtext #!/bin/sh export TERM=linux exec more ~/text.txt exit 0

3. Breaking out of more: The script simply runs more on a text file and then exits. If I could interact with more before it finished printing the file, I could escape it. I reduced my terminal window size (so the text wouldn't fit on one screen) forcing more to pause.

I logged in via SSH again, but this time i resized my terminal to a very small size... the screen paused at the bottom ... instead of hitting space to scroll .. i pressed the v key on my keyboard. This is a built-in shortcut that opens the current text block in the vim editor.

4. Spawning a bash shell from Vim: Once inside Vim, I had the ability to run commands. I pressed : to enter command mode and changed Vim's default shell to bash: :set shell=/bin/bash

Then, I pressed : again and told vim to spawn that shell: :shell and yeah ....i was dropped into a normal bash terminal as the user bandit26.

5. Catching the Flag: Now that I had a fully interactive shell, I simply read the password file for bandit26: bandit26@bandit:~$ cat /etc/bandit_pass/bandit26 s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ

<!-- truncate -->