Bandit25 - bandit26
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
This is a basic level to test if the user can read a file, simple enough to do with "cat"
bandit25@melinda:~$ ls -la total 32 drwxr-xr-x 2 root root 4096 Nov 16 17:01 . drwxr-xr-x 167 root root 4096 Mar 21 06:46 .. -rw-r----- 1 bandit25 bandit25 33 Nov 16 17:00 .bandit24.password -rw-r--r-- 1 root root 220 Apr 9 2014 .bash_logout -rw-r--r-- 1 root root 3637 Apr 9 2014 .bashrc -rw-r----- 1 bandit25 bandit25 4 Nov 16 17:00 .pin -rw-r--r-- 1 root root 675 Apr 9 2014 .profile -r-------- 1 bandit25 bandit25 1679 Nov 16 17:01 bandit26.sshkey bandit25@melinda:~$ cat /etc/passwd | grep bandit26 bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext bandit25@melinda:~$ file /usr/bin/showtext /usr/bin/showtext: POSIX shell script, ASCII text executable bandit25@melinda:~$ cat /usr/bin/showtext #!/bin/sh more ~/text.txt exit 0 bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost Could not create directory '/home/bandit25/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts). This is the OverTheWire game server. More information on http://www.overthewire.org/wargames Please note that wargame usernames are no longer level<X>, but wargamename<X> e.g. vortex4, semtex2, ... Note: at this moment, blacksun is not available. Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.19.1-x86_64-linode53 x86_64) * Documentation: https://help.ubuntu.com/ Welcome to the OverTheWire games machine ! Please read /README.txt for more information on how to play the levels on this gameserver. 4 packages can be updated. 4 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. _ _ _ _ ___ __ | | | (_) | |__ \ / / | |__ __ _ _ __ __| |_| |_ ) / /_ | '_ \ / _` | '_ \ / _` | | __| / / '_ \ | |_) | (_| | | | | (_| | | |_ / /| (_) | |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/ Connection to localhost closed. bandit25@melinda:~$
This one was interesting... They used more instead of cat... If a print is longer than the terminal, more breaks so the user can read by locking the screen to scroll up and down. After reading the man on more it turns out in this mode we can hit 'v' to make it switch over to vim to edit it. Once you are in vim you can enter
Once you do this VIM throws a read only message, hit ENTER and you will be able to see the password.