OverTheWire Bandit: Level 18 → Level 19

Context

There is a little prank in this level. When you try to log in as bandit18, the system greets you and immediately kicks you out:

...
Byebye !
Connection to bandit.labs.overthewire.org closed.

This is likely because an exit command has been placed in a startup file like .bashrc or .profile. As soon as the shell opens, it closes.

Goal

Read the readme file and retrieve the password without verifying an interactive shell session.

Solution

SSH is not just for opening a remote terminal; it can also be used to send a single command and receive the output. In this mode, login scripts sometimes behave differently, or our command executes before the shell decides to exit.

Normally we connect like this: ssh bandit18@... -p 2220 (And we get kicked out)

Now, let’s tell SSH “don’t give me a terminal, just run this command”:

ssh bandit18@bandit.labs.overthewire.org -p 2220 'cat readme'

(Enter the bandit18 password when prompted)

Output:

awhqfNnAbc1naukrpqDYkWZxVJ5x6yHv
Byebye !
Connection to ... closed.

As you can see, it still said “Byebye!” and closed the connection, BUT it executed our cat readme command first and gave us the password!

Alternative: If you want to look around (list files etc.), you can send commands one by one:

ssh bandit18@bandit.labs.overthewire.org -p 2220 'ls -al'

Key Takeaways

1. SSH Command Execution: You can execute commands over SSH without an interactive session. This is powerful for automation and for bypassing simple shell restrictions like this one.
2. .bashrc: A configuration file that runs when a user logs in. Putting exit here is a primitive way to deny access, but as demonstrated, it’s easily bypassed.