Wednesday, December 10, 2014

Bandit Level 18 to Level 19

Logging in with ssh without having .bashrc run.
 
Host name is bandit.labs.overthewire.org 
User: bandit18
password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Goal: The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

Commands used for this level:
ssh - OpenSSH SSH client
/bin/sh - a way of launching an interactive shell usually bash

Step 1
Well when we try and login to this level the normal way we get immediately logged out, why because the .bashrc file has been edited to do this to us. .bashrc is a file normally read by interactive shells only and can be edited to affect how our interactive shell behaves. What we need to do is try logging in a different way so we avoid having the .bashrc file run.
What we can do is tell our ssh login to launch the Bourne again shell, also known as bash instead of the regular shell. Bash only reads from the /etc/profile, .bash_profile, .bash_login or .profile files, you can read about that here
We will tell ssh to launch the bash shell instead of logging directly into bandit18 user shell, which we know will launch that .bashrc file that logs us out. We can do this by adding /bin/sh command to our ssh login with our user info. Using /bin/sh is a standard way of launching the Bourne again shell (bash) when writing script files. Most scripts start with the hashbang (#!) followed by /bin/sh telling the script to first start the bash shell. Our login should be simple enough now that we know more.
We could just type ssh bandit18@bandit.labs.overthewire.org /bin/sh but we will not see a prompt because we are only requesting a port to connect to. What we can do is force a connection to a tty port with a -t added to ssh command.
Type ssh -t bandit18@bandit.labs.overthewire.org /bin/sh

Step 2.
We are now in and can check if we see the readme file with ls.
Type ls
We see the readme file so all we have to do is cat the file with cat readme and our password for the next level is displayed: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Posted by at
Labels:

2 comments:

  1. UnknownJuly 22, 2019 at 11:10 PM

    ssh -t bandit18@bandit.labs.overthewire.org /bin/sh
    didn't work for me
    but this did
    ssh -t bandit18@localhost /bin/sh

    ReplyDelete
  2. UnknownApril 30, 2020 at 9:52 PM

    Because you were trying to enter that command when you were still in bandit17 user. Exit the session & then try that command and it will work.

    ReplyDelete

Subscribe to: Post Comments (Atom)