Bandit25 - bandit26

From JaxHax
Jump to navigation Jump to search

Level Goal

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.


Solution

This is a basic level to test if the user can read a file, simple enough to do with "cat"

bandit25@melinda:~$ ls -la
total 32
drwxr-xr-x   2 root     root     4096 Nov 16 17:01 .
drwxr-xr-x 167 root     root     4096 Mar 21 06:46 ..
-rw-r-----   1 bandit25 bandit25   33 Nov 16 17:00 .bandit24.password
-rw-r--r--   1 root     root      220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root     root     3637 Apr  9  2014 .bashrc
-rw-r-----   1 bandit25 bandit25    4 Nov 16 17:00 .pin
-rw-r--r--   1 root     root      675 Apr  9  2014 .profile
-r--------   1 bandit25 bandit25 1679 Nov 16 17:01 bandit26.sshkey

bandit25@melinda:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

bandit25@melinda:~$ file /usr/bin/showtext
/usr/bin/showtext: POSIX shell script, ASCII text executable

bandit25@melinda:~$ cat /usr/bin/showtext 
#!/bin/sh

more ~/text.txt
exit 0

bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost
Could not create directory '/home/bandit25/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...

Note: at this moment, blacksun is not available.

Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.19.1-x86_64-linode53 x86_64)

 * Documentation:  https://help.ubuntu.com/

Welcome to the OverTheWire games machine !

Please read /README.txt for more information on how to play the levels
on this gameserver.

4 packages can be updated.
4 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

  _                     _ _ _   ___   __  
 | |                   | (_) | |__ \ / /  
 | |__   __ _ _ __   __| |_| |_   ) / /_  
 | '_ \ / _` | '_ \ / _` | | __| / / '_ \ 
 | |_) | (_| | | | | (_| | | |_ / /| (_) |
 |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/ 
Connection to localhost closed.

bandit25@melinda:~$


This one was interesting... They used more instead of cat... If a print is longer than the terminal, more breaks so the user can read by locking the screen to scroll up and down. After reading the man on more it turns out in this mode we can hit 'v' to make it switch over to vim to edit it. Once you are in vim you can enter

:r /etc/bandit_pass/bandit26


Once you do this VIM throws a read only message, hit ENTER and you will be able to see the password.

5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z