OverTheWire - Bandit - Level 26 → Level 27

Warning: This post contains a solution!

Continue only if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!

Connect to the server using the following credentials:

Server: bandit.labs.overthewire.org
Port: 2220
Username: bandit26
Password: 5czgxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Level Goal is:

Good job getting a shell! Now hurry and grab the password for bandit27!

Important here is, that we need to stay in the shell spawned in the last level or spawn a shell again logging in with bandit25. Logging in using the above credentials is not possible because of the changed shell used (usr/bin/showtext).

There is an executable named bandit27-do in the home folder of user bandit26.

bandit26@bandit:~$ ls
bandit27-do  text.txt
bandit26@bandit:~$ file bandit27-do
bandit27-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8e941f24b8c5cd0af67b22b724c57e1ab92a92a1, not stripped

From the filename it can be assumed that this executable executes commands as bandit27 user. Running the executable confirms that assumption.

bandit26@bandit:~$ ./bandit27-do
Run a command as another user.
  Example: ./bandit27-do id

Running the executable with the cat command gives us the password.

bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
Show Comments