OverTheWire: Bandit Level 19
In the last post, we gained access to bandit18. Now, let’s find the password for bandit19.
Level 19
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands you may need to solve this level
ssh, ls, cat
If we try logging into bandit18 with the password we have, this happens.
$ ssh bandit18@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargamesbandit18@bandit.labs.overthewire.org's password:
Linux bandit.otw.local 5.4.8 x86_64 GNU/Linux,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.orgWelcome to OverTheWire!If you find any problems, please report them to Steven or morla on
irc.overthewire.org.--[ Playing the games ]--This machine might hold several wargames.
If you are playing "somegame", then:* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!Please play nice:* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!--[ Tips ]--This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relroIn addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.Finally, network-access is limited for most levels by a local
firewall.--[ Tools ]--For your convenience we have installed a few usefull tools which you can find
in the following locations:* gef (https://github.com/hugsy/gef) in /usr/local/gef/
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh--[ More information ]--For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.Enjoy your stay!Byebye !
Connection to bandit.labs.overthewire.org closed.
So we can’t even enter bandit18. How are we supposed to access the readme file?
Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
So we need to find a way around this.
.bashrc is a startup file of the bash terminal that is executed when the bash terminal is invoked. The .bashrc file of bandit18 is set to log us out when we login with SSH.
So we need a way to login with SSH and not call the .bashrc file.
I found this page that offers many solutions to such a problem. I’m going to use one of them for this level.
$ ssh -t bandit18@bandit.labs.overthewire.org -p 2220 bash --norc
This is a OverTheWire game server. More information on http://www.overthewire.org/wargamesbandit18@bandit.labs.overthewire.org's password:
bash-4.4$ ls
readme
bash-4.4$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
And we have the password for bandit19, IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x.
Happy Hacking!
