Login

SSH: ssh bandit25@bandit.labs.overthewire.org -p 2220

Password: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Task

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

A little bit of Theory

Each user has a user default shell. This is especially important when using ssh, because this is the shell that will be displayed. The information, what shell is the default for a user, can be found at the end of the line for the user in the ‘/etc/passwd’ file.

more is a shell command that allows the display of files in an interactive mode. Specifically, this interactive mode only works when the content of the file is too large to fully be displayed in the terminal window. One command that is allowed in the interactive mode is v. This command will open the file in the editor ‘vim’.

Vim is a text editor. It enables you to run shell commands as well. It is possible to use vim to break out of a restricted environment and spawn a shell. To spawn the user’s default shell, the command :shell is used. To change the shell to ‘/bin/bash’ the command is :set shell=/bin/sh.

Solution

First, we need to check what shell the user bandit26 used. We do this by looking in the correct line in the ‘passwd’ file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ ls -la /usr/bin/showtext
-rwxr-xr-x 1 root root 53 May  7  2020 /usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0

We can see that it refers to a script called ‘showtext’ that opens a file called ’text.txt’ with the more program.

Next, when we look in the home directory of the current user, we find a private ssh key. We can copy-paste the private key into a file on our machine. To be able to log in, we need to limit the rights to the key.

1
2
3
4

bandit25@bandit:~$ ls
bandit26.sshkey

$ chmod 700 bandit26.sshkey

When trying to log in, we see that the connection is closed because ‘/usr/bin/showtext’ is executed.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

$ ssh -i bandit26.sshkey bandit26@localhost
...
  _                     _ _ _   ___   __  
 | |                   | (_) | |__ \ / /  
 | |__   __ _ _ __   __| |_| |_   ) / /_  
 | '_ \ / _` | '_ \ / _` | | __| / / '_ \ 
 | |_) | (_| | | | | (_| | | |_ / /| (_) |
 |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/ 
Connection to bandit.labs.overthewire.org closed.

What exactly has happened? The text in ’text.txt’ is very short, meaning the whole text can immediately be displayed. more does not need to go into command/interactive mode. If we make the terminal window smaller, more will go into command mode. We can then use v to go into vim. Now we can rescale the window.

Vim is now opened as bandit26 and we can do different things to retrieve the password. With :e /etc/bandit\_pass/bandit26 we can open the password file and read the password. If we want a shell, we could try the :shell command that vim offers. This command, however, uses the user’s default shell. What we need to do instead is to set the default shell of the user in vim to a useful shell, like \bin\bash. The commands look like the following: :set shell=/bin/bash and then use :shell. Finally, we have a shell and can get the password for the user.

1
2
3
4

bandit26@bandit:~$ ls
bandit27-do  text.txt
bandit26@bandit:~$ cat /etc/bandit\_pass/bandit26
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

https://overthewire.org/wargames/bandit/bandit26.html