Tuesday, July 7, 2015

OverTheWire - Bandit - Level 26

Level Goal

Logging in to bandit26 from bandit25 should be fairly easy... The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

Commands you may need to solve this level

  • ssh
  • cat
  • more
  • vi/m
  • ls
  • id
  • pwd

Helpful Reading Material

  • None provided.
When we log into bandit25 we see a private key in our home directory. 
ssh -i ./bandit26.sshkey
When we run this to get into bandit26 we'll get a display of text and then are kicked out. Let's check out what shell is being used by using cat on the /etc/passwd file and pipe to grep to select only bandit26 
 cat /etc/passwd | grep "bandit26"
We'll get the following line: bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

Let's check out this file. 
cat /usr/bin/showtext
It's a shell script that looks like the following: 
#!/bin/sh

more ~/text.txt
exit 0
So we'll assume that text.txt contains the bandit 26 text message. Now we have to figure out how to escape from the "shell". The trick is going to be resizing the window so more has a need to activate so that it will stop and not just exit 0. We'll do that by resizing the terminal window to something less than 6 lines tall. It should look something like this:
After that we'll need to find a way to bypass the more command to get the password for bandit26. Let's start by checking man more to see if there is any way to bypass it since we can't modify the /usr/bin/showtext script. 
man more
We'll see that more is a filter for paging through text one screenful at a time. However the text displayed is not a full screen so we weren't seeing that more was the application being called (unless you have your terminal set to a small window size). Under the COMMANDS section we also see that there are interactive commands that are based on vi. Scrolling further shows the list of commands, only two of which may be interesting to us. Particularly the ! to execute in a subshell and v to start up an editor at current line.

I couldn't get anything to actually execute with the ! and I'm not sure it would matter anyways because we don't have a shell to cat anything out to.

I did a search for vi commands that can be used inside of the visual editor and the only one that seems feasible is r which replaces the character under the cursor with {char}. If we do this to use the /etc/bandit_pass/bandit26 file it replaces a character with the contents of the file. 
:r /etc/bandit_pass/bandit26
This is the password for bandit26 - although it doesn't do much good because we don't have a shell.

EDIT:

I have figure it out, inside of visual mode, we will set the vi shell by using the following command: 
:set shell sh=/bin/bash
Then we need to start the shell by running the sh command. 
:sh
Which will drop us out of more and into a bonafide bash shell.
on

No comments:

Post a Comment