ctf_aria
write up ctf by ariafatah
Project maintained by ariafatah0711 Hosted on GitHub Pages — Theme by mattgraham
soal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
NOTE: if you’re a Windows user and typically use Powershell to ssh into bandit: Powershell is known to cause issues with the intended solution to this level. You should use command prompt instead.
ssh
sshpass -p "iCi86ttT4KSNe1armKiwbQNmB3YJP3q4" ssh -o StrictHostKeyChecking=no bandit25@bandit.labs.overthewire.org -p 2220
solve
cat bandit26.sshkey
# -----BEGIN RSA PRIVATE KEY-----
# ...
## ssh in host
ssh -i bandit26.sshkey bandit26@bandit.labs.overthewire.org -p 2220 -vvv
## i try another option but not work
ssh -i bandit26.sshkey bandit26@bandit.labs.overthewire.org -p 2220 -t /bin/sh # change the tty
ssh -i bandit26.sshkey bandit26@bandit.labs.overthewire.org -p 2220 -T # tanpa tty
ssh -i bandit26.sshkey bandit26@bandit.labs.overthewire.org -p 2220 "whoami" # run command
ssh -i bandit26.sshkey bandit26@bandit.labs.overthewire.org -p 2220 -t /bin/sh "cat /etc/bandit_pass/bandit26 > /tmp/tmp.nvaRc1Ef3g/pass" # input only
- namun kareana saya sudah mencoba namun tidak ada yang berhasil jadi saya mencari di youtube dan mencari solusinya
- disini saya menemukan solusi dengan mengecilkan layar maka nanti kita seolah seolah sedang menggunakan perintah less
ssh -i bandit26.sshkey bandit26@localhost -p 2220
- jika sudah kita bisa click “v” untuk masuk ke vim editor
- jika sudah kita bisa cari tau cara keluar dari vim dan masuk ke shell di gtfobins
- https://gtfobins.github.io/gtfobins/vim/
- kita coba salah satunya dengan mengclick ESC terlebih dahulu
:set shell=/bin/sh|:shell
- atau kita bisa gunakan langkah satu persatu saat sudah di vim
:set shell=/bin/bash # lalu enter :shell # ini ssama seperti sebelumnya hanya saja kita secara 1 persatu # jika ingin cepat kita bisa gunakan | :set shell=/bin/bash | :shell - got flag
cat /etc/bandit_pass/bandit26 # s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ
flag
s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ