../level-26-to-level-27

OverTheWire - Bandit: Level 26 to Level 27


Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

To check the shell for user bandit26 we use getent:

1$ getent passwd bandit26

2bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

The “shell” is a simple bash-script which itself displays the content of a text file in bandit26s home directory.

1$  cat /usr/bin/showtext

2#!/bin/sh

3

4export TERM=linux

5

6exec more ~/text.txt

7exit 0

We just need to become bandit26. When taking a look into the current user’s home, we can see a private ssh-key with the name bandit26.sshkey. Connecting to bandit26 using the private key, shows the typical welcome message and then closes the connection. The welcome message is probably the content of text.txt. The connection is closed due to the usage of exec.

Since the command executed is more this is probably an entrypoint to a shell. Taking look into the documentation of more one can find the following:

v
	 Start up an editor at current line. The editor is taken from the environment variable VISUAL if defined, or EDITOR if VISUAL is not defined, or defaults to vi(1) if neither VISUAL nor EDITOR is defined.

To exploit this command, one must get into the paging-mode of the more utility. First, I didn’t find a way to get into. This seems to be due to my usage of the windows Subsystem for Linux (WSL2) on windows and probably the combination of Windows Terminal. So, I wasn’t able to trick the script into pagination, no matter how small I made the window - still, I do not know why it didn’t work. Then, first I thought, this wouldn’t be the way and I searched for a solution hint after some time. In this medium article the way of exploiting the usage of more is the way to go.

So, booting up a linux machine, opening an xfce-terminal on Manjaro, making the window pretty small - there it is: pagination Now, the easiest way to get the password is pressing v to open an vi instance. Then we can open the password file using :e /etc/bandit_pass/bandit26:

c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1

Another way to access the password is by accessing a shell from inside vi. Therefore the following commands are executed inside vi:

:set shell=/bin/bash
:shell

Now we have a bash and are able to browse along.

1$ cat /etc/bandit_pass/bandit26

2c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1

Kategorien: #/writeups/; #/overthewire/

Tags: #/security/; #/hacking/; #/bash/; #/linux/; #/ctf/