Level Goal

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

Solution

Password: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Let’s see if we have anything in our home directory…

An SSH private key.

Well, we know what to do with that. Let’s get out and download the key.

Now let’s use it.

How rude. Well, we were warned. Let’s get back into bandit25 and see what shell bandit26 is running.

Alright. Let’s see what /usr/bin/showtext is.

It does some initialisation, then it uses more on a text file before exiting.

Interesting. more will not exit if it has more text to display.

Let’s try and force this behaviour. We’ll login to bandit26 again, but we’ll rescale our terminal window to be as small as we can make it.

Awesome. Now we have some time to think. Let’s check the more manpage to see what we can do.

A little bit further down…

Interesting. We can execute commands. Well, we know where the password is. Let’s try and read the file.

Doesn’t work. Drats. Let’s see what else more can do.

Hmmm. Let’s try that. I’ll press vOh goody. Something a bit more useful than more. It’s our good friend vi. Now I know for sure I can open new files in vi. Let’s give it a go.

Press enter…

At time of writing, there is no bandit27. So bandit26 is the end of this wargame.

Bonza.