Good job getting a shell! Now hurry and grab the password for bandit27!
Perform the Level 25.
alias l='ls -lah --color=auto'
alias v=vim
export EDITOR=vim
/etc/bandit_pass/bandit26
The level goal is a bit confusing, can I access the password for bandit27 with bandit26 user?
:e /etc/bandit_pass/bandit27
...
<it_pass/bandit27" [Permission Denied]
I'm getting a permission denied.
:sh
# nothing happened
:echo $SHELL
bash
Run this to the vim command
:read !echo $SHELL
Nothing happened
We can execute a command by 'writing' from vim buffer to the $SHELL or /bin/bash
# write this to the vim buffer
echo 'test command'
Run this to the vim command
:w !$SHELL
There still no output
!echo 'test'
Doesn't work 😭
- Create files from the
/tmp/directory and see if we can write from commands.
:e /tmp/ihavesomerandomfolder/myfile.txt
- Create a script and invoke it, then write to another file
echo 'test' > /tmp/ihavesomerandomfolder/out.txt
:w !/bin/bash
- Read the file
:e /tmp/ihavesomerandomfolder/out.txt
The file content is empty 🤧
Whenever I try to invoke some commands, the text.txt file content shows up.
Even though I have written the commands from vim buffer to the $SHELL or /bin/bash, it
seems that the commands are not invoked properly.
:set shell?
shell=/usr/bin/showtext
Oh! It was using the /usr/bin/showtext for it's subshell.
This explains whenever we invoke commands, the text.txt file content shows up!
Where does it inherit it? From our login? I do not know how it works.
Let's check in bandit25 user and see the help page and the $SHELL environment.
- Display
$SHELL
echo $SHELL
/bin/bash
- Invoke vim
vim
- Check for
shellvalue
:set shell?
/bin/bash
- Verify if changing
$SHELLaffects vimshell
export SHELL=/bin/bash/TEST
echo $SHELL
- Invoke vim and view the
shellvalue
vim
:set shell?
/bin/bash/TEST
It's using the $SHELL environment variable. I'll assume that vim
will pick this up. Let's verify it on bandit26 shell.
- Verify the
shellvalue again
:set shell?
/usr/bin/showtext
- Update
shellvalue to/bin/bash
:set shell=/bin/bash
:sh
$whoami
bandit26
echo $SHELL
/usr/bin/showtext
The vim used the $SHELL environment variable for its shell config.
ls -lah
...
-rwsr-x--- 1 bandit27 bandit26 7.2K May 7 2020 bandit27-do
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3.5K May 15 2017 .bashrc
-rw-r--r-- 1 root root 675 May 15 2017 .profile
drwxr-xr-x 2 root root 4.0K May 7 2020 .ssh
-rw-r----- 1 bandit26 bandit26 258 May 7 2020 text.txt
We have a setuid permission bit for bandit27-do and looks like this is what
we did in previous level.
./bandit27-do whoami
bandit27
Confirmed that it's just the same.
./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
3ba3118a22e93127a4ed485be72ef5ea
- I have learned that vim uses
$SHELLto set theshellconfig. - Know a bit about vim and managed to explore to access a subshell.
- Knowing that even though we're writing the vim buffer to
/bin/bashit's still invoking a subshell to perform that command. I could've noticed it in a few more tries.
What might I need to learn for better mastery, or what strategies might I use the next time to get better results?
- Improve knowledge in common usage of environment variables.
OverTheWire: Bandit Level 26 by S.P.
They have also set the shell config for the vim.
</ OverTheWire > Bandit Level 26 → Level 27 by </ The Girl Who Encrypts >
They also did the same thing.