Writeup – Bandit – Level 32 to 33

> local_ai_tl_dr()

> TERM=/bin/bash
ssh bandit33@bandit
WELCOME TO THE UPPERCASE SHELL
>> $TERM
bandit33@bandit:~$ whoami

So my solution for the bandit – lvl 32 was something very simple but took me a while:

When you connect to bandit33, you are prompted with this:

WELCOME TO THE UPPERCASE SHELL
>> 

This is because the shell for the bandit32 user is redirected to /home/bandit32/uppershell

And every command you type is executed but in an uppercase.

So, if you type whoami, WHOAMI is executed and so on.

I started to think that the only things that are enterly on upper case in linux are some enviroment variables. Such as HOME, EDITOR, PWD, TERM, etc.

I started to try, because I was tired and if I type $HOME, then this was printed:

>> $HOME
sh: 1: /home/bandit32: Permission denied

That means that I can execute enviroment variables... amazing?

The question is:

What enviroment variable is pass from your terminal to the server?

And then I tried this:

>> $TERM
sh: 1: xterm-kitty: Permission denied

Wait, what?

Yes, I use the kitty terminal, but this enviroment variable is pass to the server when the connection is stablished. I got disconnected from the server and set this on my system:

TERM=/bin/bash

Then I make the connection through ssh, got the prompt of the upper case shell and typed:

WELCOME TO THE UPPERCASE SHELL
>> $TERM
bandit33@bandit:~$ whoami
bandit33
bandit33@bandit:~$ 

In resume:

Before to connect via ssh, I set the enviroment variable TERM to /bin/bash and then once ssh to the bandit33 user, I run $TERM, so it executes /bin/bash and I got a shell.