OverTheWire Bandit Level 25->Level 26 - Walkthrough

OverTheWire Bandit Solutions

Introduction

In this post, I will be giving you a walkthrough to the Bandit wargame Level 25->Level 26. In this level, we will learn about more command and vim editor which will be used to clear the level.

Goal

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it. We will get the password for bandit26 after logging into bandit26 user using the key file.

Login Details

Server - bandit.labs.overthewire.org
Port - 2220
Username - bandit25
Password - p7TaowMYrmu230l8hiZh9UvD009hpx8d

Theory

"more" command in linux is used to view text files one page at a time on the terminal. At the bottom of the terminal, more command displays the amount of content in percentage terms that is being displayed. If the file is small enough to display the entire content on the terminal then the more command does not go into interactive mode.

vim is a text editor which also allows us to run shell commands. When more is in interactive mode, we can press the key "v" and open the vim editor. The ":" operator is used to enter command mode in vim and using "set shell" command we can change the shell of a user and then invoke "shell" command to open the specified shell.

Each user has a default shell whose information can be found in the "/etc/passwd" file. This shell is the one that will be displayed when the user logs in.

Solution

SSH into the user bandit25 using the command "ssh bandit25@bandit.labs.overthewire.org -p 2220" and the above password. Type "ls" and you will notice that the SSH key for bandit26 is present.
Type the command "ssh bandit26@localhost -i bandit26.sshkey -p 2220" to login to bandit26.

We can notice that the connection is closed immediately after we login to bandit26 successfully.

Since, it is mentioned that the shell for bandit26 is something else, we will check the "/etc/passwd" file and find out the shell. Type the command-:

• cat /etc/passwd | grep 'bandit26'
• cat /usr/bin/showtext

We can see that the bandit26 uses the shell "/usr/bin/showtext". Therefore we see the contents of the shell by typing the command "cat /usr/bin/showtext".

Looking at the content of shell, we can see that it is shell script that uses more command to display the contents of text.txt file and then terminates. The command "exit 0" terminates the session whereas the banner with text "bandit26" is the content of the file "text.txt" which is stored in the home directory of bandit26.

We will reduce the size of the terminal and then login again as bandit26.

As expected, the content could not fit in our terminal and the more command entered the interactive mode.

Now, press the key "v" to open the vim editor. We can expand the terminal and enter the commands-:

• :set shell=/bin/bash
• Press "Enter" key
• :shell
• Press "Enter" key

The above commands will set the shell as bash for bandit26 and we can get the password for bandit26 from the file "/etc/bandit_pass/bandit26". Type the command "cat /etc/bandit_pass/bandit26" to get the password.

This completes Level 26 walkthrough. Please post your questions and suggestions in the comment section.