OverTheWire: Bandit Level 25 to Level 26

Sep 11, 2016
/
General, Resources, Write-ups

Level goal: Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

Indeed, logging in is easy, simply run the usual command which allow you to login using SSH key instead of login credentials

ssh -i bandit26.sshkey bandit26@localhost

However, after you logged into bandit26, you will be logged out immediately, “Connection to localhost closed.”

As hinted by the question, let’s take a look at the bash used by bandit26,

bandit25@melinda:~$ cat /etc/passwd | grep bandit26
 bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

Instead of /bin/bash, bandit26 is using /usr/bin/showtext, which is apparently not a shell. Let’s look at the content of the file

bandit25@melinda:~$ cat /usr/bin/showtext
 #!/bin/sh
 more ~/text.txt
 exit 0

The way to obtain the password for this level is extremely creative, I salute the team who designed this portion of the challenge, it’s really good.

As we know, we will be logged out immediately after we gain access to the server using the SSH key. The way to get the level 27 password is to gain access to the file before your shell gets terminated.

Think about it, how can that be possibly done? The hint is that you are able to “log in” to the system, just that when it spawns a shell, it terminates the shell immediately – the exact code is “exit 0” as we have see in the showtext “shell”.

Here’s the solution:

First, minimize your terminal so that when you are logged into bandit26 via ssh command, the large “bandit26” ASCII art banner will force a “more” message to prompt you to continue the output. You may refer to the screenshot as an illustraton of how I have minimized my terminal,

ssh -i bandit26.sshkey -t bandit26@localhost cat text.txt

Now that you have forces the terminal to prompt you to continue the display via “more” or “–More–(50%)” in this case, press “v” to enter “vim”, a built-in text editor on Unix machines. You will see the output as per below,

Now, press “:e /etc/bandit_pass/bandit26” to edit the password file of bandit26.

There you go, you have the password to proceed to level 27!!

Let’s review what we have done. We have forces the terminal to display a “more” output, where we can open a VIM text editor and open the password file of bandit26 using the file opening command within the VIM text editor. We are able to open this password file containing the bandit26 password because we have logged into the bandit26 account and this is right before the “exit 0” portion of the code boot us out from the machine.

The password to gain access to the next level is 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z. However, level 27 is not up yet, therefore level 26 is the final bandit challenge as of now.

Tags: CTF, linux, overthewire, unix

kongwenbin

https://kongwenbin.com

I am a security enthusiast, penetration tester and bug hunter who has a great passion in the area of information security. I love to share. Please feel free to leave a comment on my posts. Learning never stops!

11 Comments

Pingback: OverTheWire: Bandit Write-up | My Learning Journey
loststeak
April 15, 2017

You didn’t go looking in the readme file in the bandit26 home directory. So you have only half finished level 26

Reply
- Wen Bin
  May 6, 2017
  
  Hi loststeak,
  
  Good catch, it seems I really missed out the readme file for level26 back then. Is there anything interesting about its content that you would like to share? 🙂
  
  Also, I just checked, seems like level27 is still not released yet.
  Reference: http://overthewire.org/wargames/bandit/bandit27.html
  
  Reply
  - Ken Bui
    October 19, 2017
    
    how can you access the readme file? it says permission denied.
    also thanks for this guide, it helped me out a bunch.
    
    how did you manage to figure out that you needed to minimize the terminal to force the more message while in pseudo-tty allocation?
    
    do you have references of where you got the commands “v” for vim and “:e” for edit?
    are those commands that you can use while only in a minimized terminal with pseudo-tty allocation?
    
    Reply
    - Wen Bin
      November 5, 2017
      
      Hi Ken, sorry for the late reply. I’m glad that my guide has been helpful to you!
      
      To figure out the part where we need to minimise our terminal is simple. Please refer to the part where the challenge provide us with hints that the user “shell” is /usr/bin/showtext.
      
      Notice the second line uses the more command. In such cases, run man more on your linux machine and you will see a list of possible commands that you can use while using more to display the content within a file.
      
      The concept is similar to when you are using an Linux Server which only has command-line interface, there is no GUI. To display the text of a file, you can use cat. What if the file is very long and you want to view the first few lines? You can use head. What about somewhere in the middle of the file which “scrolls through” too quickly for you to read it? That is where more comes in, it allows you to control the display of the content. On the bottom left, you can see that it even shows you how many percent of the content has been displayed already.
      
      Go try it!
      
      Reply
AS33 (@wingedlizard5)
January 6, 2018

I had forgotten that all of the passwords were stored in /etc/bandit_pass, so I “solved” this a slightly different way. We did the same thing up until vim, at which point I did “:set shell=/bin/bash” then “:shell”

From there I read the README.txt and called it a day since I had a full shell as bandit26 and a way to reliably produce it. Forgot to grab the password! 🙂

Reply
- Wen Bin
  January 7, 2018
  
  Hi AS33, nice job in coming up with a different method which works too! Don’t worry about the password since like you said, you have a full shell and a way to reliably reproduce it anytime to grab the password. 😉
  
  Reply
- Dave Compton (SirCompo)
  March 16, 2018
  
  Thank you! I’d been trying and failing to get this working, thinking I’d have to run them as commands using the “:!command” syntax. I didn’t realise you could set env vars and launch the shell directly from vi. Glad I read these comments as I wasn’t satisfied with just reading the files from a text editor.
  
  Reply
  - Wen Bin
    March 18, 2018
    
    Hi Dave, great to see that the different method shared by AS33 to get shell was helpful to you too! We all learn something new everyday 🙂
    
    Reply
bladeoflight16
September 15, 2019

Does this still work with the latest versions of PuTTY? I couldn’t get it work when using the ssh now built into Windows (when invoking it from PowerShell, for instance). Even manually setting the lines of scroll back to something low and in PuTTY and setting the buffer to a low number of lines in PowerShell had no effect on the command just printing all the output and then ending. I’m using PuTTY 0.72 (released 2019-07-20).

Reply
- kongwenbin
  August 17, 2021
  
  Hi bladeoflight16, I don’t think PuTTY would cause an issue in this case, have you tried using other tools to complete this challenge?
  
  Reply

11 Comments

loststeak

bladeoflight16

Leave a Reply Cancel reply