Warning: This post contains a solution!
Continue only if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!
Connect to the server using the following credentials:
Level Goal is:
Good job getting a shell! Now hurry and grab the password for bandit27!
Important here is, that we need to stay in the shell spawned in the last level or spawn a shell again logging in with bandit25. Logging in using the above credentials is not possible because of the changed shell used (
There is an executable named
bandit27-do in the home folder of user bandit26.
bandit26@bandit:~$ ls bandit27-do text.txt bandit26@bandit:~$ file bandit27-do bandit27-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8e941f24b8c5cd0af67b22b724c57e1ab92a92a1, not stripped bandit26@bandit:~$
From the filename it can be assumed that this executable executes commands as bandit27 user. Running the executable confirms that assumption.
bandit26@bandit:~$ ./bandit27-do Run a command as another user. Example: ./bandit27-do id
Running the executable with the cat command gives us the password.
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27 3ba3xxxxxxxxxxxxxxxxxxxxxxxxxxxx