Writeup – Bandit – Level 32 to 33
> local_ai_tl_dr()
> TERM=/bin/bash
ssh bandit33@bandit
WELCOME TO THE UPPERCASE SHELL
>> $TERM
bandit33@bandit:~$ whoami
So my solution for the bandit – lvl 32 was something very simple but took me a while:
When you connect to bandit33, you are prompted with this:
WELCOME TO THE UPPERCASE SHELL
>>
This is because the shell for the bandit32 user is redirected to /home/bandit32/uppershell
And every command you type is executed but in an uppercase.
So, if you type whoami
, WHOAMI
is executed and so on.
I started to think that the only things that are enterly on upper case in linux are some enviroment variables. Such as HOME
, EDITOR
, PWD
, TERM
, etc.
I started to try, because I was tired and if I type $HOME
, then this was printed:
>> $HOME
sh: 1: /home/bandit32: Permission denied
That means that I can execute enviroment variables... amazing?
The question is:
What enviroment variable is pass from your terminal to the server?
And then I tried this:
>> $TERM
sh: 1: xterm-kitty: Permission denied
Wait, what?
Yes, I use the kitty terminal, but this enviroment variable is pass to the server when the connection is stablished. I got disconnected from the server and set this on my system:
TERM=/bin/bash
Then I make the connection through ssh, got the prompt of the upper case shell and typed:
WELCOME TO THE UPPERCASE SHELL
>> $TERM
bandit33@bandit:~$ whoami
bandit33
bandit33@bandit:~$
In resume:
Before to connect via ssh, I set the enviroment variable TERM to /bin/bash
and then once ssh to the bandit33 user, I run $TERM
, so it executes /bin/bash
and I got a shell.