Bandit Level 25 → 26
Login: ssh bandit25@bandit.labs.overthewire.org -p 2220
Password: iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
task
Logging in to bandit26 from bandit25 should be quite easy. The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works, and how to break out of it.
theory lil bit
- SSH Key Permissions: SSH is very strict about security. If a private key file (
.sshkey) is readable by other users, SSH will reject it to prevent abuse. You must set permissions to700or600. - Custom Login Shells: The
/etc/passwdfile defines what program runs when a user logs in. It doesn't have to be a standard shell like/bin/bash; it can be any executable script. If that script exits, your SSH session ends. - Escaping Pagers (
more): When a program likemore(a pager) outputs text that is larger than your terminal window, it pauses. While paused, you can use built-in commands. Pressingvtellsmoreto open the current file in thevimtext editor. - Vim Shell Escaping:
vimhas the ability to run system commands or spawn a new shell. By changing vim's internal shell setting (:set shell=/bin/bash) and then calling it (:shell), you can break out of a restricted environment and get a fully functional terminal.
my approach / solution
1. Finding and Fixing the SSH Key:
I logged in and found bandit26.sshkey right in the home directory. I tried to use it to SSH into bandit26, but SSH yelled at me about bad permissions:
WARNING: UNPROTECTED PRIVATE KEY FILE! Permissions 0755 for 'bandit26.sshkey' are too open.
I fixed this by restricting the permissions so only my user could read it: bandit25@bandit:~$ chmod 700 bandit26.sshkey
2. The Disappearing Shell Problem: When I tried to SSH after fixing the key, the server displayed an OverTheWire banner and then immediately kicked me out. I needed to figure out what was happening upon login.
I checked the /etc/passwd file for bandit26 to see what shell it was using:
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26❌11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
Instead of /bin/bash, it was running a custom script called /usr/bin/showtext. I checked the contents of that script:
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
exec more ~/text.txt
exit 0
3. Breaking out of more:
The script simply runs more on a text file and then exits. If I could interact with more before it finished printing the file, I could escape it. I reduced my terminal window size (so the text wouldn't fit on one screen) forcing more to pause.
I logged in via SSH again, but this time i resized my terminal to a very small size... the screen paused at the bottom ... instead of hitting space to scroll .. i pressed the v key on my keyboard. This is a built-in shortcut that opens the current text block in the vim editor.
4. Spawning a bash shell from Vim:
Once inside Vim, I had the ability to run commands. I pressed : to enter command mode and changed Vim's default shell to bash:
:set shell=/bin/bash
Then, I pressed : again and told vim to spawn that shell:
:shell
and yeah ....i was dropped into a normal bash terminal as the user bandit26.
5. Catching the Flag:
Now that I had a fully interactive shell, I simply read the password file for bandit26:
bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ
<!-- truncate -->
