← Back to Home

OverTheWire Bandit: Level 25 → Level 26

Technical Note

Context

This level features a tactic straight out of a hacker movie. We have the SSH key for bandit26, but when we log in, the system immediately kicks us out. This is because the shell for bandit26 isn’t standard /bin/bash but a custom script designed to restrict us.

Our Goal: “Escape” directly from this restricted environment (jailbreak) and spawn a real shell.

Solution

Step 1: Exfiltrate the SSH Key

The bandit26 SSH key is in our home directory. Note: OverTheWire blocks SSH connections from localhost to conserve resources, so we cannot connect directly from bandit25.

We must copy the key to our local machine:

  1. Print the key: cat bandit26.sshkey
  2. Copy the content.
  3. On your local machine, create a file (e.g., bandit26.key) and paste the content.
  4. Set permissions: chmod 600 bandit26.key

Step 2: Resize the Terminal (The Trick)

The system script uses the more command to display text. more has a feature: if the text doesn’t fit on the screen, it pauses and waits for user input (--More--).

This is our exploit!

  1. Shrink your terminal window drastically. Make it only 5-10 lines tall.
  2. Run the SSH command from your local machine.
ssh -i bandit26.key bandit26@bandit.labs.overthewire.org -p 2220

Now the connection won’t close. You’ll see --More-- (or %0) at the bottom. Do not press Enter or Space to finish the text!

Step 3: Switch to ‘vi’ Editor

While more is paused, if you press the v key, it launches the vi editor to edit the current content.

  1. When you see --More--, press v on your keyboard.
  2. You are now inside the vi editor.

Step 4: Shell Spawning

vi is powerful; you can execute system commands from within it.

  1. Press Esc inside vi (just to be safe).
  2. Type the following command and hit Enter (this sets the shell vi uses): :set shell=/bin/bash
  3. Now launch the shell: :shell

Step 5: Freedom

Congratulations! You dropped into a command prompt. Check who you are:

whoami
# Output: bandit26

You can now roam freely as bandit26. We don’t get a password file here since we used an SSH key, but we have established a persistent session which allows us to proceed to the next challenge.

Key Takeaways

  1. Restricted Shells: Systems can enforce limits by setting the default shell to a custom script instead of /bin/bash.
  2. GTFOBins: A curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. Breaking out using more and vi is a classic example.
← Previous Post
OverTheWire Bandit: Level 24 → Level 25
Next Post →
OverTheWire Bandit: Level 26 → Level 27