OverTheWire - Bandit - Level 25 → Level 26

Warning: This post contains a solution!

Continue only if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!


Connect to the server using the following credentials:

Server: bandit.labs.overthewire.org
Port: 2220
Username: bandit25
Password: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Level Goal is:

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

First thing to do after logging in, is to take a look at the contents of the home folder, which reveals the file bandit26.sshkey. Quick check shows that this is a private key which should allow us to connect to the server as bandit26.

bandit25@bandit:~$ file bandit26.sshkey
bandit26.sshkey: PEM RSA private key
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
Could not create directory '/home/bandit25/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

[...]

  _                     _ _ _   ___   __
 | |                   | (_) | |__ \ / /
 | |__   __ _ _ __   __| |_| |_   ) / /_
 | '_ \ / _` | '_ \ / _` | | __| / / '_ \
 | |_) | (_| | | | | (_| | | |_ / /| (_) |
 |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
Connection to localhost closed.
bandit25@bandit:~$

Connecting to the server is possible, but will log us out immediately. From the level goal we know, that the shell is not /bin/bash. A quick look into /etc/passwd gives us more information about the shell.

bandit25@bandit:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
[...]
bandit25:x:11025:11025:bandit level 25:/home/bandit25:/bin/bash
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit27:x:11027:11027:bandit level 27:/home/bandit27:/bin/bash
[...]

The shell is located at /usr/bin/showtext.

bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0

The more command is used in line 6 to open the file text.txt. more is useful to display long (text) files on small screens or in a size limited terminal window - similar to the less command, but with much fewer functions.
This means that we have to resize the currently used terminal window in size and make it so small to enter the more environment.

Once done, hit h to open the help menu. Resize the terminal window an take a look at the possible options.

Most commands optionally preceded by integer argument k.  Defaults in brackets.
Star (*) indicates argument becomes new default.
-------------------------------------------------------------------------------
<space>                 Display next k lines of text [current screen size]
z                       Display next k lines of text [current screen size]*
<return>                Display next k lines of text [1]*
d or ctrl-D             Scroll k lines [current scroll size, initially 11]*
q or Q or <interrupt>   Exit from more
s                       Skip forward k lines of text [1]
f                       Skip forward k screenfuls of text [1]
b or ctrl-B             Skip backwards k screenfuls of text [1]
'                       Go to place where previous search started
=                       Display current line number
/<regular expression>   Search for kth occurrence of regular expression [1]
n                       Search for kth occurrence of last r.e [1]
!<cmd> or :!<cmd>       Execute <cmd> in a subshell
v                       Start up /usr/bin/vi at current line
ctrl-L                  Redraw screen
:n                      Go to kth next file [1]
:p                      Go to kth previous file [1]
:f                      Display current file name and line number
.                       Repeat previous command
-------------------------------------------------------------------------------
--More--(66%)

The most interesting command here is v, which will start the editor vi at the current line. From vi, as mentioned in the SANS Penetration Testing blog article, we can start a shell. Type in :set shell=/bin/bash within vi and type in :shell then.

This will spawn a bash shell and allow us to get the password for this level.

bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
Show Comments