MayADevBe Blog

A Blog about Computer Science

OverTheWire Bandit Level 32 -> 33 - Walkthrough

Published - 2022-08-01 | 2min

Previous Level: Level 32

Login

SSH: ssh bandit32@bandit.labs.overthewire.org -p 2220

Password: 56a9bf19c63d650ce78e6ec0354ee45e

Task

After all this git stuff its time for another escape. Good luck!

A little bit of Theory

Linux has Variables called local variables (valid in current shell), shell variables (set up by shell) and environment variables (valid systemwide). These variables have their names in uppercase only. They are defined by writing VAR_NAME=var_value in the command line. To see the content of a variable, you can write echo $VAR_NAME.

To print all environment variables, you can use printenv.

Some common that are good to know are:

  • TERM -  current terminal emulation
  • HOME - the path to home directory of currently logged in user
  • LANG - current locales settings
  • PATH - directory list to be searched when executing commands
  • PWD - pathname of the current working directory
  • SHELL/0 - the path of the current user’s shell
  • USER - currently logged-in user

Solution

When using ssh to get access to the machine, we are greeted with a slightly different shell: WELCOME TO THE UPPERCASE SHELL. This already gives us an idea of what the shell does. Testing a simple command, we get the following:

1
2

>> ls  
sh: 1: LS: not found

So everything we type seems to be made uppercase. The commands we have used so far however, are all lower-case and do not work. The one thing in Linux that is uppercase is variables. Specifically, the variable $0 has a reference to a shell. You can see this with echo $0 on your machine.

This lets us break out of the uppercase shell and we can use commands again.

1
2
3
4
5
6
7
8
9

>> $0
$ ls -la
total 28
drwxr-xr-x  2 root     root     4096 May  7  2020 .
drwxr-xr-x 41 root     root     4096 May  7  2020 ..
-rw-r--r--  1 root     root      220 May 15  2017 .bash_logout
-rw-r--r--  1 root     root     3526 May 15  2017 .bashrc
-rw-r--r--  1 root     root      675 May 15  2017 .profile
-rwsr-x---  1 bandit33 bandit32 7556 May  7  2020 uppershell

We can see that the file ‘uppershell’ runs as bandit33 (owned by user ‘bandit33’ and SUID). Checking this, we can see that we are in fact ‘bandit33’ and therefore, we can read the password file:

1
2
3
4

$ whoami
bandit33
$ cat /etc/bandit\_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee

Since at the time of writing this, it is the last level, we can do one final login to make sure we got the correct password. And we find this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

bandit33@bandit:~$ ls
README.txt
bandit33@bandit:~$ cat README.txt 
Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!

https://overthewire.org/wargames/bandit/bandit33.html


Share on:
Comments:
Related Content:
OverTheWire Bandit Level 31 -> 32 - Walkthrough

A walkthrough of Level 31 -> 32 of the Bandit wargame from OverTheWire. - Git Push, Commit, Ignore, Add.

OverTheWire Bandit Level 30 -> 31 - Walkthrough

A walkthrough of Level 30 -> 31 of the Bandit wargame from OverTheWire. - Git Tagging.