Bandit Level 33 Walkthrough

Level 32 ➔ Level 33: Escaping the Uppercase Jail

1. My Objective

I am currently logged in as bandit32. My goal is to find the final password. However, I am trapped in a "Welcome to the Upper Case Shell." Every command I type is automatically converted to uppercase. Since Linux is case-sensitive, typing ls becomes LS, which the system does not recognize. I need to find a way to escape this "shouting" shell and return to a normal bash environment.

The Technical Obstacle: The shell is likely a simple wrapper script that takes user input and transforms it. I need to find a command that doesn't use letters or a variable that represents the shell itself.

2. The Feynman Explanation: The Identity Crisis

How do I run a command if the system changes every word I say? I have to use the system's own "self-awareness" against it.

The Mirror Analogy:

Imagine I am in a room where a giant megaphone automatically yells everything I say in a deep, distorted voice. If I whisper "hello," the megaphone yells "HELLO!" the guards don't recognize me.

However, the megaphone itself has a name. In shell scripting, the name of the program currently running is stored in a special variable called $0.

If I tell the megaphone: "Run $0," I am not using letters that can be distorted. I am pointing a finger at the mirror. Because $0 often points to the underlying original shell (like /bin/sh) that the megaphone is built upon, executing it "breaks" the loop and drops me into a quiet room where I can speak normally again. Escaping is about finding the one thing the restriction can't modify: its own identity.

3. Practical Solution

I log into bandit32 and immediately notice that any normal command fails. I use the $0 trick to escape.

# I try a normal command... it fails
bandit32@bandit:~$ ls
sh: 1: LS: not found

# Step 1: I use the positional parameter $0
bandit32@bandit:~$ $0

# The prompt changes to a simple '$'. I am now in a normal shell!
$ ls -la
total 28...

# Step 2: Read the final password file
$ cat /etc/bandit_pass/bandit33
od64Ng6pE6vSAr4S019SAb36906sV... (Final Password!)

Why did $0 work?

In Linux shells, $0 is a special variable that holds the name of the shell or the script being executed. In this level, the restricted environment is just a script running on top of sh. When I type $0, I am telling the system to run the original shell again, but this time it launches without the "Uppercase" script active, giving me full control.

🚀 My Pro Tips: Positional Parameters

✨ The "$#" Shortcut

If I am writing a script and I want to know how many arguments the user gave me, I use $#. It’s a quick way to add error checking to my code.

⭐ Escaping with Other Tools

The $0 trick is the most common for this specific challenge, but sometimes you can escape restricted shells by using python or perl to spawn a shell, or even by using the !sh command inside vi or man.

🔍 Final Reflection

The Bandit series is designed to teach you that everything is a file and logic is your best tool. From reading readme files to exploiting git and cron, you have built a foundation of Linux knowledge that many professional sysadmins don't fully grasp.

4. Why this matters

I use shell escapes in real-world security audits when I encounter "Kiosks" or restricted terminals. If a company has a computer in a lobby meant only for browsing their website, I look for ways to trigger a shell via a "Print" menu or a "Help" file. Understanding how shells wrap around each other is key to both hardening a system and finding its weak points.

Bandit Journey Complete!

I've successfully cleared the final level. Congratulations on making it this far with me! You are no longer a "noobie"—you are a Linux user. Ready for the next wargame?

Tags: #Linux #Bandit #OverTheWire #ShellEscape #Bash #ShellScripting #PositionalParameters #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips