Bandit level 26 requires us to get a shell since you’ll get something different when you login into the machine
let’s start by logging into the server as bandit26
ssh email@example.com -p 2220
with the ssh key that you should’ve added before from the previous level
When you try to login, you will get the normal starting introduction but then the connection will close.
let’s try first to pass commands with the ssh for example
ssh firstname.lastname@example.org -p 2220 -t 'ls -la'
but the connection keeps dropping, so it might be because of bandit26 is not using shell so we need to see which “shell” is being used by bandit26.
since we can’t login to the account, let’s go back to bandit25 and check /etc/passwd file where it contains the information we need.
you can bandit25 creds from here.
you should get the following line for bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
so it runs a program /usr/bin/showtext, let’s try to see what is the content of that file.
#!/bin/sh export TERM=linux more ~/text.txt exit 0
so we’re using linux terminal, then it runs “more” command to view text.txt and exits.
now, more command will show the whole content of the file if it fits into the screen, meaning if you have a terminal that displays 10 lines on the screen and you run more command for a file that has 6 lines for example, it will show the whole content then exists BUT if you have a terminal that shows 10 lines and the file has 20 lines of content, it will still run and will “paginate” the content.
to put this into practical work, when we were trying to login, the connection was being closed so fast since the lines to show the file is less than the lines that our terminal is capable to show, so let’s try to minimize the site of the terminal.
So we will keep minimizing the terminal until we get something similar.
After you get that, you can change the size of the terminal back to normal again without any problem.
so we were able to show “more” command, stop ssh from closing.
one of the stuff about more is that you can edit the file directly without the need to leave the command, the editor will be the one set by default from the system. To do that you need to press ‘v’ and you should see the vim editor is launched.
right now we have vim running with permissions of bandit26 since it’s our user, so all we need to do is to get the password for that user.
since we have vim open, one of the basic commands for vim is “:e” which allows us to open a file, and as we know the password is saved in /etc/bandit_pass/bandit26, so let’s try to combine these two.
and you should get the following password for our user.
and that should be it for the bandit level 26.