Skip to main content
🧠Educationalbeginner10 min read
β€’

OverTheWire Bandit Level 19: Running Commands via SSH Without Interactive Shell

OverTheWire Bandit Level 19 walkthrough. Learn how to run commands via SSH without getting an interactive shell, bypassing .bashrc modifications that log you out.

OverTheWireBanditLinuxbeginnerCTFSSHremote commands.bashrcshell bypass
Share:𝕏inβ¬‘βœ‰
πŸ”—OverTheWire Bandit Series
Part 20 of 34
πŸ“šView all posts in OverTheWire Bandit series

πŸšͺ OverTheWire Bandit Level 19: Running Commands via SSH Without Interactive Shell

Level 19 introduces a clever SSH techniqueβ€”running commands directly without an interactive shell. When someone modifies .bashrc to log you out immediately, you can bypass this by executing commands as SSH arguments instead of getting an interactive session. This teaches you how SSH can run remote commands and how to work around shell restrictions.

Level 19 teaches you:

  • Running commands via SSH without interactive shell
  • Understanding how .bashrc affects shell sessions
  • Bypassing shell restrictions
  • Using SSH command arguments
  • Executing remote commands directly

This level builds on what you learned about SSH in previous levels. Understanding how to run commands without interactive shells is essential for automation, scripting, and bypassing restrictions.

🎯 The Objective

After logging into bandit18, your goal is to find the password for Level 19. The password is stored in a file called readme in the home directory. However, someone has modified .bashrc to log you out immediately when you log in with SSH.

What Level 19 teaches:

  • Running commands via SSH command arguments
  • Bypassing .bashrc modifications
  • Understanding interactive vs. non-interactive shells
  • Executing remote commands without shell access
  • Working around shell restrictions

The challenge: When you SSH in normally, you get logged out instantly (you'll see "Byebye!"). You need to run the command to read readme without getting an interactive shell session.

πŸ” Understanding the Problem

Let's start by trying to connect to Level 18 normally:

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220

What happens: You'll see "Byebye!" and get immediately logged out. This is because .bashrc has been modified to log you out when an interactive shell starts.

The problem: How do you read the readme file if you can't stay logged in?

The answer: Use SSH's ability to run commands directly as arguments, bypassing the interactive shell entirely.

🧠 Understanding SSH Command Execution

Let's dive deeper into how SSH can run commands:

Interactive vs. Non-Interactive Shells

Interactive shell:

  • Full shell session
  • Runs .bashrc (or .bash_profile)
  • Allows you to type commands
  • What you get with normal ssh user@host

Non-interactive command execution:

  • Runs command directly
  • Doesn't run .bashrc (usually)
  • Executes and exits
  • What you get with ssh user@host "command"

Why This Matters

When .bashrc contains logout commands:

  • Interactive shell β€” Runs .bashrc, triggers logout, you get kicked out
  • Non-interactive command β€” Skips .bashrc, runs command, returns output

For Level 19: We use non-interactive command execution to bypass the .bashrc logout.

πŸ“‹ Step-by-Step Walkthrough

Step 1: Understand the Problem

Try connecting normally first to see what happens:

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220

You'll see "Byebye!" and get logged out immediately. This confirms the .bashrc modification is working.

Step 2: Run Command via SSH Arguments

Instead of getting an interactive shell, run the command directly as an SSH argument:

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"

Breaking this down:

  • sshpass -p \cat bandit18`` β€” Provides the password
  • ssh bandit18@bandit.labs.overthewire.org -p 2220 β€” SSH connection
  • "cat readme" β€” Command to run remotely (in quotes)

What this does:

  • Connects to the server
  • Runs cat readme directly (non-interactive)
  • Returns the output
  • Exits without starting an interactive shell

What you'll see: The contents of the readme file will be displayed in your terminal. That's the password for Level 19!

Step 3: Save the Password

Copy the password and save it on your local machine:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit19

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit19 -NoNewline

Step 4: Connect to Level 19

sshpass -p `cat bandit19` ssh bandit19@bandit.labs.overthewire.org -p 2220

πŸ’‘ Understanding .bashrc Modifications

Let's dive deeper into what's happening:

What Is .bashrc?

.bashrc is a configuration file that runs when:

  • A new interactive bash shell starts
  • You SSH in and get an interactive shell
  • You open a new terminal

Common uses:

  • Setting environment variables
  • Defining aliases
  • Customizing the prompt
  • Running startup commands

What Happened in Level 19?

Someone modified .bashrc to include:

exit
# or
logout

What this does:

  • When you SSH in, .bashrc runs
  • .bashrc executes exit or logout
  • You get logged out immediately
  • You see "Byebye!" message

Why Non-Interactive Commands Work

When you run ssh user@host "command":

  • SSH runs the command directly
  • It doesn't start an interactive shell
  • .bashrc doesn't run (or runs differently)
  • Command executes and returns output
  • No logout happens

For Level 19: This is why running commands as SSH arguments bypasses the logout.

πŸ› οΈ Alternative Methods

Here are different ways to run the command:

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"

Pros: Simple, direct, bypasses .bashrc Cons: None really

Method 2: Using SSH Directly (If Password Typed)

ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"
# Then type password when prompted

Pros: Works without sshpass Cons: Requires manual password entry

Method 3: Testing with Other Commands

You can test this functionality with other commands:

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "whoami"
# Output: bandit18

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "pwd"
# Output: /home/bandit18

Pros: Helps verify the technique works Cons: Doesn't get the password directly

For Level 19, use Method 1 β€” it's the most efficient and teaches you valuable skills.

πŸ”’ Real-World Context

Why does this matter in penetration testing?

In real security assessments, you'll encounter similar restrictions:

1. Restricted Shells

Systems with restricted shells:

  • Limited command access
  • Modified .bashrc or .profile
  • Forced logout mechanisms
  • Restricted command execution

Example: Bypassing restricted shell:

ssh user@host "cat /etc/passwd"

2. Automated Command Execution

Running commands remotely:

  • Script execution
  • Automated tasks
  • Remote administration
  • CI/CD pipelines

Example: Running remote commands:

ssh user@server "systemctl status apache2"

3. Bypassing Shell Restrictions

When shells are restricted:

  • Limited command access
  • Forced logout
  • Command filtering
  • Restricted environments

Example: Bypassing restrictions:

ssh user@host "command_to_run"

4. SSH-Based Automation

Automating tasks via SSH:

  • Remote script execution
  • Configuration management
  • Deployment scripts
  • Monitoring commands

Example: Automated remote execution:

ssh user@host "cd /app && ./deploy.sh"

5. Forensics and Investigation

When investigating compromised systems:

  • Reading files without interactive access
  • Gathering information remotely
  • Avoiding detection
  • Quick data extraction

Example: Remote file reading:

ssh user@host "cat /var/log/auth.log | grep failed"

The skill you're learning: How to execute commands remotely without interactive shell access. This is essential when:

  • Working with restricted environments
  • Automating remote tasks
  • Bypassing shell restrictions
  • Running commands in scripts
  • Extracting data from remote systems

🚨 Common Mistakes

Mistake 1: Trying Normal SSH Connection

Wrong:

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220
# Gets logged out immediately with "Byebye!"

Right:

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"
# Runs command directly, bypasses logout

Why: Normal SSH starts an interactive shell, which runs .bashrc and triggers the logout. Running commands as arguments bypasses this.

Mistake 2: Forgetting Quotes Around Command

Wrong:

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
# Might not work correctly

Right:

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"
# Quotes ensure command is passed correctly

Why: Quotes ensure the command is passed as a single argument to SSH. Without quotes, the shell might interpret it differently.

Mistake 3: Not Understanding Why It Works

Confusion: "Why does this work when normal SSH doesn't?"

Clarification:

  • Normal SSH (ssh user@host) starts an interactive shell

  • Interactive shells run .bashrc

  • .bashrc contains exit or logout

  • You get logged out immediately

  • SSH with command (ssh user@host "command") runs command directly

  • No interactive shell starts

  • .bashrc doesn't run (or runs differently)

  • Command executes and returns output

For Level 19: Running commands as arguments bypasses the interactive shell and the .bashrc logout.

Mistake 4: Wrong File Path

Wrong:

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat /home/bandit18/readme"
# Might work, but readme is in home directory

Right:

sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"
# readme is in home directory, relative path works

Why: When SSH runs a command, it starts in the user's home directory. readme is in the home directory, so a relative path works.

Mistake 5: Not Testing the Technique

Confusion: "How do I know this will work?"

Clarification:

  • Test with simple commands first
  • Try whoami or pwd to verify
  • Once confirmed, run the actual command

Example:

# Test first
sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "whoami"
# Should output: bandit18

# Then run actual command
sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"

πŸ’» Practice Exercise

Try these to reinforce what you learned:

  1. Test with whoami:

    sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "whoami"
# Should output: bandit18

  2. Test with pwd:

    sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "pwd"
# Should output: /home/bandit18

  3. List files:

    sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "ls -la"
# Lists files in home directory

  4. Read the password file:

    sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"
# Gets the password

πŸŽ“ Understanding Interactive vs. Non-Interactive Shells

This is a good time to understand the difference:

Interactive Shell

Characteristics:

  • Full shell session
  • Runs .bashrc or .bash_profile
  • Allows command input
  • Shows prompt

When it runs:

  • Normal SSH login
  • Opening terminal
  • Starting bash manually

Non-Interactive Command Execution

Characteristics:

  • Runs command directly
  • Usually skips .bashrc
  • No prompt
  • Returns output and exits

When it runs:

  • ssh user@host "command"
  • Scripts executing commands
  • Automated tasks

For Level 19: We use non-interactive execution to bypass .bashrc.

πŸ”— What's Next?

Level 20 introduces SUID binariesβ€”executables that run with the permissions of the file owner. You'll learn about privilege escalation and how to exploit misconfigured SUID binaries to gain elevated access.

Before moving on, make sure you:

  • βœ… Successfully ran commands via SSH arguments
  • βœ… Understand the difference between interactive and non-interactive shells
  • βœ… Know why .bashrc modifications affect interactive shells
  • βœ… Can bypass shell restrictions using SSH command arguments
  • βœ… Understand how to run remote commands without shell access

πŸ“š Key Takeaways

After completing Level 19, you should understand:

  1. SSH command execution β€” Running commands as SSH arguments
  2. Interactive vs. non-interactive β€” Different shell types behave differently
  3. .bashrc modifications β€” Can log you out or restrict access
  4. Bypassing restrictions β€” Using non-interactive execution to bypass shell restrictions
  5. Remote command execution β€” Running commands without interactive shell access

🎯 Quick Reference

ProblemSolutionExample
Run command via SSHUse quotesssh user@host "command"
Bypass .bashrcNon-interactivessh user@host "cat file"
Test connectionUse whoami/pwdssh user@host "whoami"
With sshpassAdd sshpasssshpass -p pass ssh user@host "cmd"
Multiple commandsUse semicolonssh user@host "cmd1; cmd2"

Questions about Level 19 or running commands via SSH? Reach out directly:

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice

Found this helpful? Share it:

Share:𝕏inβ¬‘βœ‰

Need Help With This?

Have questions about implementing these security practices? Let's discuss your specific needs.

Get in Touch

More in Educational

Explore more articles in this category.

Browse 🧠 Educational

Related Articles