Good job getting a shell! Now hurry and grab the password for bandit27!
1 2 > whatis ls ls (1) - list directory contents
If at the end of the last level you logged out perform the same steps as the last level to login back as bandit26 but this time from our system.
Make the terminal height-wise short so that the more command will enter interactive mode
1 2 3 4 5 > ssh firstname.lastname@example.org -p 2220 This is a OverTheWire game server. More information on http://www.overthewire.org/wargames email@example.com's password: 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
Press “v” to open the file in a text editor (Default vim) then enter the commands below to start a bash shell.
If the above steps were performed properly you should have a bash shell and be logged in as bandit26.
Note: If the above steps did not make sense refer to my previous article where I have explained the process in detail.
Let’s see if there are any files in the current working directory
1 2 3 4 5 6 7 bandit26@bandit:~$ ls bandit27-do text.txt bandit26@bandit:~$ ls -l total 12 -rwsr-x--- 1 bandit27 bandit26 7296 May 7 2020 bandit27-do -rw-r----- 1 bandit26 bandit26 258 May 7 2020 text.txt
We see a binary file called “bandit27-do”. If we look at its properties we see that the file is owned by bandit27 and the SUID bit of the file is set as well. This means that using the binary if we run any other command that command will have the same permissions as the owner of the binary (in this case the commands will have bandit27 permissions)
So let us try to cat the content of the password file of bandit27 using the binary.
1 2 bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27 3ba3118a22e93127a4ed485be72ef5ea
There we go we have the password for the next level !!!
Logout of the current session and login into the next level as banddit27
1 2 3 4 5 > ssh firstname.lastname@example.org -p 2220 This is a OverTheWire game server. More information on http://www.overthewire.org/wargames email@example.com's password: 3ba3118a22e93127a4ed485be72ef5ea