Recap of Last LessonLinux file permissions, using private keys to logon to servers

Bandit Level 19

Objective

Find the password to the next level

Intel Given

  • The password for the next level is stored in a file readme in the home directory.
  • Someone has modified .bashrc to log you out when you log in with SSH.

How to

Some of you go getters may have already tried to log on to bandit18 and found yourself getting kicked out. That’s not an unintentional error, like we gathered from our intel .bashrc has been modified to logout as soon as we login, effectively rendering us helpless. .bashrc is a part of our  “profile” on the remote server that tells the operating system things about our particular profile, such as home directory, preferred shell and text editor, and in our case runs a script that logs us off when we try to ssh in.

Luckily there are ways to get the shell to ignore the startup script. Again this differs with the method of connecting. Let’s start with putty first this time.

The first thing we’re going to do is load the previous session. You have been loading the previous sessions and not typing in the IP or URL everytime, right?

bandit19.1

 

Next we’re going to go to the SSH option under Connection. You may remember this from a few levels ago.

bandit19.2

Here we’re going to enter the Remote command /bin/bash –norc. /bin/bash is telling putty what shell to send the remote command and the option –norc tells the terminal we’re opening to ignore the .bashrc “profile” file. And bypassing this doesn’t initialize the script that logs us out. So now we’re in!

bandit19.3To achieve this on a unix system we will take the same approach as with Putty, we will just add a few arguments to our normal ssh command like so.

bandit19.4

The -t tells the host to run the remote command –norc from the shell bash, which is what we want in order to ignore the .bashrc file, and thus avoid getting logged out. You may notice that before the normal text usually the username, hostname, and present working directory before the $ has changed. Because we had to tell the shell to ignore the profile in order to get logged on we have lost some functionality, including not getting our customized command prompt. This is because what is in front of the $ is an environmental variable , which is user defined and most are user specific. The one that tells the shell what to display on the prompt is PS1. The way to change this is to simply enter the command

$ PS1= “Hello World”

The PS1 command is very literal if we input the above, the command prompt will read Hello world like so.

bandit19.5That’s nice but I personally like the default settings that give us some information about our username, the host and the present working directory. So let’s set it back to that. With \u being the current user name, \h being the current host and \w being the present working directory, and the dollar sign because…well it’s a classic.

bandit19.6So now that we have our command prompt looking normal again let’s see if we can find that file.

bandit19.7Well that was easy, comparatively.

Conclusion

We learned about .bashrc, and how to start up without invoking it, and about environmental variables and changing the command prompt variable.

Hackmethod is proud to announce Mal_Wear by HM. Exploit/Vulnerability themed nerdy t-shirts! Get them while they last. Dismiss