Bandit 26
Objectives
Bandit Level 25 → Level 26Level GoalLogging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Solution
This one is crazy and I could get about 60% there just with my knowledge but had to cheat and google solution to find out how to solve it
so Here is what I did by myself before resulting to other write ups
let's check the etc/passwd to see what the default shell for bandit 26 is
Well the defulat shell is not /bin/bash like every other bandit.. lets see whats in that file
export TERM=linux
This is were I was stuck I could see that the user wasn't using a standard shell and was able to look at the shell file being called but I couldn't figure out what to do with this information. I spent the better part of an hour searching around on google trying to figure out my next step. After I gave up I found a write up that told me what to do here.
That more part of the script is very important to solving this challenge
in order to trigger that part of the script to run the SSH window must be shrunk down enough to triggger the More function which would normally scroll
if we press v on the keyboard that will load VIM
we can change the shell and then launch shell again to get normal bash access
now we got bash
I feel like I'm going to stop the bandit CTFs here. This is a bit too deep for me right now and I need to learn some more before talking the rest of these
Objectives
Bandit Level 25 → Level 26Level GoalLogging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Solution
This one is crazy and I could get about 60% there just with my knowledge but had to cheat and google solution to find out how to solve it
so Here is what I did by myself before resulting to other write ups
let's check the etc/passwd to see what the default shell for bandit 26 is
$ cat /etc/passwdbandit23:x:11023:11023:bandit level 23:/home/bandit23:/bin/bashbandit24:x:11024:11024:bandit level 24:/home/bandit24:/bin/bashbandit25:x:11025:11025:bandit level 25:/home/bandit25:/bin/bashbandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtextbandit27:x:11027:11027:bandit level 27:/home/bandit27:/bin/bashbandit28:x:11028:11028:bandit level 28:/home/bandit28:/bin/bash
Well the defulat shell is not /bin/bash like every other bandit.. lets see whats in that file
cat /usr/bin/showtext#!/bin/sh
export TERM=linux
more ~/text.txtexit 0
This is were I was stuck I could see that the user wasn't using a standard shell and was able to look at the shell file being called but I couldn't figure out what to do with this information. I spent the better part of an hour searching around on google trying to figure out my next step. After I gave up I found a write up that told me what to do here.
That more part of the script is very important to solving this challenge
in order to trigger that part of the script to run the SSH window must be shrunk down enough to triggger the More function which would normally scroll
if we press v on the keyboard that will load VIM
we can change the shell and then launch shell again to get normal bash access
:set shell=/bin/bash:shell
now we got bash
bandit26@bandit:~$ cat /etc/bandit_pass/bandit265czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
I feel like I'm going to stop the bandit CTFs here. This is a bit too deep for me right now and I need to learn some more before talking the rest of these
Comments
Post a Comment