Bandit26
Website URL: http://overthewire.org/wargames/bandit/bandit26.html
Let’s log into the server as bandit25
The task is as follows:
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Let’s find out the shell being used by bandit26. It would be mentioned in /etc/passwd file.
cat /etc/passwd
As we can see from the /etc/passwd file, bandit26 seems to be using shell from /usr/bin/showtext. Let’s have a look inside this shell.
cat /usr/bin/showtext
Well, that’s an understandable code, but what now? How do we log into the bandit26?
Let’s try to see what’s in the home directory of the current user.
ls
Voila! We now have a way to access bandit26. The next logical step would be to use this SSH key to log in as bandit26. However, we know, from our exploration above, that logging into bandit26 will open up a more prompt and then exit. Let’s try it out and see if what we think is actually true.
ssh bandit26@localhost -i bandit26.sshkey
So, as can be seen here, as soon as we log into bandit26, we get kicked out. We need to find a way around this, we need some way that any code that we inject can be and is executed.
Going by the script that we saw earlier (Fig. 3), the only place I think I can inject something or play with it seems to me to be during the execution of the more command. It might be possible that I could inject some code, or get a command shell during the operation of the command. Let’s explore the possibility.
The first thing that’s needed to be done is to somehow pause the more command execution, only then we will actually be able to inject command. Reading a bit about more.
man more Skipping down to the interesting part:
If you notice, there is an interesting command v, which is visual mode. This might be useful for us. So, what needs to be done is log into bandit26 using the sshkey, and then immediately press v, while the last few lines are being printed (after the “Enjoy the Stay”, since that is the normal ssh banner).
If you try it out, you will find, the above method wouldn’t be working directly, no matter how many times you try. As soon as you login with the SSH key, it executes and exits the login. This is because, more is never actually being triggered long enough for us to inject our command. The trick is to use more for the exact purpose it was built, i.e. reading long files.
What we will do is to reduce the terminal size to such a small size that the text file contents does not fit the terminal display area. This will force more to be triggered, enabling us to inject our commands.
Now, we can press v to trigger the interactive mode of the program and then Esc key followed by : to get the subshell.
All that’s left now is to get a linux shell to obtain the bandit26 password.
:set shell=/bin/bash
:shell
Task is downhill from now on.
cat /etc/bandit_pass/bandit26Mission accomplished!