Previous Level: Level 25
ssh firstname.lastname@example.org -p 2220
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
A little bit of Theory
Each user has a user default shell. This is especially important when using
ssh, because this is the shell that will be displayed. The information, what shell is the default for a user, can be found at the end of the line for the user in the ‘/etc/passwd’ file.
more is a shell command that allows the display of files in an interactive mode. Specifically, this interactive mode only works when the content of the file is too large to fully be displayed in the terminal window. One command that is allowed in the interactive mode is
v. This command will open the file in the editor ‘vim’.
Vim is a text editor. It enables you to run shell commands as well. It is possible to use vim to break out of a restricted environment and spawn a shell. To spawn the user’s default shell, the command
:shell is used. To change the shell to ‘/bin/bash’ the command is
First, we need to check what shell the user bandit26 used. We do this by looking in the correct line in the ‘passwd’ file.
We can see that it refers to a script called ‘showtext’ that opens a file called ’text.txt’ with the
Next, when we look in the home directory of the current user, we find a private ssh key. We can copy-paste the private key into a file on our machine. To be able to log in, we need to limit the rights to the key.
When trying to log in, we see that the connection is closed because ‘/usr/bin/showtext’ is executed.
What exactly has happened? The text in ’text.txt’ is very short, meaning the whole text can immediately be displayed.
more does not need to go into command/interactive mode. If we make the terminal window smaller,
more will go into command mode. We can then use
v to go into vim. Now we can rescale the window.
Vim is now opened as bandit26 and we can do different things to retrieve the password. With
:e /etc/bandit\_pass/bandit26 we can open the password file and read the password. If we want a shell, we could try the
:shell command that vim offers. This command, however, uses the user’s default shell. What we need to do instead is to set the default shell of the user in vim to a useful shell, like
\bin\bash. The commands look like the following:
:set shell=/bin/bash and then use
:shell. Finally, we have a shell and can get the password for the user.
Next Level: Level 27