Bandit Level 19 Walkthrough

Level 18 ➔ Level 19: Bypassing the Login Trap

1. My Objective

I have the password for bandit18, but I have a major problem. Every time I try to log in, the server prints "Byebye!" and immediately kicks me out. This is because the user's .bashrc file (a script that runs automatically upon login) has been modified to execute an exit command. My goal is to read a file named readme in the home directory despite being unable to stay logged in.

The Technical Conflict: A standard SSH connection tries to start an Interactive Shell. The .bashrc script is the "security guard" that stands at the door of that shell. As soon as I step inside, he pushes me back out. I need to get the file without stepping through that door.

2. The Feynman Explanation: The Trapped Entryway

How do I get something from inside a house if the front door is rigged to slam shut the moment I enter?

The "Window Reach" Analogy:

Imagine I need a book from a desk inside a room. The Door (.bashrc) has a trap: if I walk in to sit down and read, I get kicked out instantly.

However, I don't have to go inside and sit down. I can stand outside on the sidewalk and tell a Messenger (SSH): "Hey, don't let me in. Just reach through the window, grab that book, and bring it back to me here on the sidewalk."

In Linux, I can provide a command directly to the SSH instruction. By doing this, I tell the server to run that specific command instead of starting the "trapped" interactive shell. This effectively bypasses the .bashrc file entirely.

3. Practical Solution

I will use the standard SSH command, but I will append the cat readme command to the very end of it. This forces the server to execute cat and return the output before it ever tries to give me a login prompt.

# I provide the command 'cat readme' at the end of the SSH connection string
$ ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme

# The terminal asks for the password I found in Level 17:
bandit18@bandit.labs.overthewire.org's password: [Enter Password]

# The server executes the command and prints the password for Level 19:
awSAn929SAb36906sV... (The Password appears here)
Connection to bandit.labs.overthewire.org closed.

What happened?

By specifying cat readme, I created a Non-Interactive Session. The server ran the command, sent the text of the file back to my screen, and then closed the connection. Because I never started an interactive bash shell, the malicious .bashrc script never had a chance to run.

🚀 My Pro Tips: Remote Execution Power

✨ Running Multiple Commands

I can run multiple commands at once by wrapping them in quotes. For example, if I wanted to list files before reading one:
ssh bandit18@host -p 2220 "ls -la; cat readme"

⭐ The Force Terminal Flag (-t)

Sometimes, remote commands require a "screen" to run (like the top command). If a bypass fails, I use -t to force a pseudo-terminal. However, in this level, we specifically want to avoid the terminal logic, so we leave it out.

🔍 Shell vs. Command

I always remember that .bashrc is a Shell configuration. Anything that doesn't start a shell (like a direct command execution) is invisible to it. This is a common way to recover systems when a user accidentally breaks their own login scripts.

4. Why this matters

I use this technique in the real world for automation. If I have 50 servers and I need to check the disk space on all of them, I don't log into each one. I write a script that "reaches through the window" of each server using SSH commands, grabs the data, and brings it back to me. It is the foundation of modern server orchestration and remote management.

Bypass Successful!

I've successfully outsmarted the login trap. I'll save the password and move on to Level 19 ➔ Level 20, where I will encounter the power of setuid binaries!

Tags: #Linux #Bandit #OverTheWire #SSH #Bashrc #RemoteExecution #Bypass #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips