Skip to main content
🧠Educationaladvanced13 min read
β€’

OverTheWire Bandit Level 26: Breaking Out of Restricted Shells and Vim Exploitation

OverTheWire Bandit Level 26 walkthrough. Learn about restricted shells, non-standard shells, Vim editor exploitation, and how to break out of restricted environments using creative techniques.

OverTheWireBanditLinuxrestricted shellVimshell escapeadvancedCTF
Share:𝕏inβ¬‘βœ‰
πŸ”—OverTheWire Bandit Series
Part 27 of 34
πŸ“šView all posts in OverTheWire Bandit series

πŸ”“ OverTheWire Bandit Level 26: Breaking Out of Restricted Shells and Vim Exploitation

Level 26 introduces restricted shells and shell escape techniques. This level teaches you how to identify non-standard shells, exploit the more pager, use Vim to escape restricted environments, and understand how creative thinking can bypass security restrictions.

Level 26 teaches you:

  • Identifying non-standard shells
  • Understanding restricted environments
  • Exploiting the more pager
  • Using Vim to escape restrictions
  • Setting environment variables in Vim
  • Creative problem-solving techniques

If you've made it this far, you understand scripting and automation. Now you're learning how to break out of restricted environmentsβ€”this is a critical skill in penetration testing when you encounter limited shells.

🎯 The Objective

After logging into bandit25, your goal is to find the password for Level 26. Logging into bandit26 should be easy (there's an SSH key), but the shell for bandit26 is not /bin/bashβ€”it's something else. You need to find out what it is, understand how it works, and break out of it.

What Level 26 teaches:

  • Identifying non-standard shells
  • Understanding restricted environments
  • Exploiting pagers (more)
  • Vim editor exploitation
  • Shell escape techniques

The challenge: The shell is actually a script that uses more. You need to exploit more to get into Vim, then use Vim commands to read the password and escape to a real shell.

πŸ” Understanding the Problem

Let's start by connecting to Level 25:

sshpass -p `cat bandit25` ssh bandit25@bandit.labs.overthewire.org -p 2220

Once connected, let's check what's available:

ls -la

You should see an SSH key file (bandit26.sshkey).

The problem: When you SSH into bandit26 using this key, you get kicked out immediately. The shell isn't bashβ€”it's something else that's causing the immediate logout.

🧠 What Are Restricted Shells? Understanding Non-Standard Environments

Here's what's happening: A restricted shell is a limited shell environment that prevents you from doing certain things, like changing directories or executing commands.

Types of Restricted Shells

Common restricted shells:

  • rbash β€” Restricted bash
  • rsh β€” Restricted shell
  • Custom shells β€” Scripts that act like shells
  • Application shells β€” Programs that provide shell-like interfaces

Why they exist:

  • Security β€” Limit what users can do
  • Control β€” Prevent system modification
  • Isolation β€” Keep users in specific directories
  • Compliance β€” Meet security requirements

How Restricted Shells Work

Restrictions typically include:

  • Can't change directories (cd disabled)
  • Can't modify PATH
  • Can't execute certain commands
  • Can't redirect output
  • Can't set environment variables

In Level 26: The "shell" is actually a script that uses more to display a file, then exits. This isn't a real shell at allβ€”it's a trick.

πŸ“‹ Step-by-Step Walkthrough

Step 1: Connect to Level 25

sshpass -p `cat bandit25` ssh bandit25@bandit.labs.overthewire.org -p 2220

Step 2: Check What Shell bandit26 Uses

Let's check /etc/passwd to see what shell bandit26 is configured to use:

cat /etc/passwd | grep bandit26

What you'll see:

bandit26:x:11026:11026:bandit26:/home/bandit26:/usr/bin/showtext

The key: Instead of /bin/bash, the shell is /usr/bin/showtext. This is not a standard shell!

Step 3: Examine the showtext Script

Let's see what this script does:

cat /usr/bin/showtext

What you'll see:

#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0

Breaking this down:

  • export TERM=linux β€” Sets terminal type
  • more ~/text.txt β€” Opens text.txt with the more pager
  • exit 0 β€” Exits immediately

The trick: The script uses more to display a file. If the terminal is small enough, more will paginate (show one screen at a time). From more, you can press v to open the file in Vim!

Step 4: Check for SSH Key

Let's see what's in the bandit26 home directory:

ls -la /home/bandit26/

You should see bandit26.sshkeyβ€”an SSH private key.

Step 5: Try SSH with the Key

Let's try connecting:

ssh -i bandit26.sshkey bandit26@localhost

What happens: You get logged in, but then immediately kicked out. The showtext script runs, displays the file with more, and exits.

The problem: The terminal is too large, so more displays everything at once and exits immediately. We need to make the terminal small so more paginates.

Step 6: Resize Your Terminal Window

This is the key trick: Make your terminal window very smallβ€”so small you can barely see what you're typing.

Why: When more detects the terminal is too small to display everything, it enters pager mode (shows one screen at a time). In pager mode, you can press v to open the file in Vim.

How to resize:

  • Terminal emulator: Drag the window edges to make it tiny
  • tmux/screen: Resize the pane
  • Goal: Make it so small that more can't fit the entire file

Step 7: SSH Again with Small Terminal

With your terminal resized, SSH in again:

ssh -i bandit26.sshkey bandit26@localhost

What happens:

  • The showtext script runs
  • more opens text.txt
  • Because the terminal is small, more enters pager mode
  • You see the file content with a prompt at the bottom

You should see something like:

[file content]
--More--(XX%)

Step 8: Open Vim from more

While in more, press v (lowercase v).

What happens: The file opens in Vim! You're now in Vim editor mode.

Why this works: more has a feature where pressing v opens the current file in the default editor (usually Vim). This is a legitimate feature, but it can be exploited to escape restricted environments.

Step 9: Read the Password File in Vim

Now that you're in Vim, you can use Vim commands to read files:

Press Esc to ensure you're in command mode (you should see a cursor, not insert mode).

Then type:

:e /etc/bandit_pass/bandit26

Breaking this down:

  • : β€” Enters command mode
  • e β€” Edit command (opens a file)
  • /etc/bandit_pass/bandit26 β€” The password file path

Press Enter after typing the command.

What you'll see: The password for Level 26 displayed in Vim!

Step 10: Set Shell Variable and Escape

Now you need to get a real shell. The problem is that even if you exit Vim, you'll go back to more, which will exit, and you'll be logged out.

The solution: Set the shell variable in Vim, then use Vim's shell command.

In Vim, type:

:set shell=/bin/bash

Press Enter.

Then type:

:shell

Press Enter.

What happens: You get a real bash shell! You're now bandit26 with a full shell.

Why this works: Vim has a shell variable that determines what shell to use when you run :shell. By setting it to /bin/bash, you override the restricted shell.

Step 11: Save the Password

Copy the password you saw in Vim and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit26

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit26 -NoNewline

Step 12: Important Warning

⚠️ DO NOT CLOSE YOUR SHELL!

You'll need this shell session for Level 27. If you close it and SSH back in, you'll have to repeat the entire process (resize terminal, get into Vim, set shell variable, etc.).

To reconnect later (if needed):

  1. Resize terminal to very small
  2. SSH with the key
  3. Press v in more
  4. Type :set shell=/bin/bash and press Enter
  5. Type :shell and press Enter

πŸ’‘ Understanding Restricted Shells and Escapes in Depth

Let's dive deeper into these concepts:

Why Restricted Shells Exist

Security reasons:

  • Limit user capabilities
  • Prevent system modification
  • Isolate users
  • Meet compliance requirements

Common scenarios:

  • Web hosting accounts
  • Shared systems
  • Application users
  • Compliance environments

The more Pager Exploit

How more works:

  • Displays file content page by page
  • Enters pager mode when content doesn't fit
  • Allows navigation and editing

The exploit:

  • Press v in more β†’ Opens file in Vim
  • Vim can read other files (:e filename)
  • Vim can execute shell commands (:!command)
  • Vim can spawn shells (:shell)

Why it works: more is designed to be helpful, but that helpfulness can be exploited.

Vim Exploitation Techniques

Vim can:

  • Read files: :e /path/to/file
  • Execute commands: :!command
  • Spawn shells: :shell
  • Set variables: :set variable=value
  • Run scripts: :source file

Common escapes:

  • :set shell=/bin/bash then :shell
  • :!bash (if allowed)
  • :!/bin/bash (if allowed)

In Level 26: Setting shell variable and using :shell is the reliable method.

πŸ”’ Real-World Context

Why does this matter in penetration testing?

Restricted shell escapes are common in real assessments:

1. Restricted Shell Escapes

In real assessments, you might encounter:

  • rbash (restricted bash)
  • rsh (restricted shell)
  • Custom restricted shells
  • Application shells

The technique: Same as Level 26β€”find a way to escape to a full shell.

2. Common Escape Methods

From restricted shells:

  • Exploit pagers (more, less)
  • Use editors (Vim, nano, etc.)
  • Find binaries with shell escape
  • Exploit SUID binaries
  • Use scripting languages

From applications:

  • SQL injection β†’ shell
  • Command injection
  • File upload β†’ shell
  • Template injection

3. Real-World Examples

Common scenarios:

  • Web shells with restrictions
  • SSH accounts with rbash
  • Application users with limited shells
  • Container escapes

The skill you're learning: How to identify and escape restricted environments. This is essential for:

  • Privilege escalation
  • Lateral movement
  • Maintaining access
  • Understanding security controls

πŸ› οΈ Alternative Methods

Here are different ways to approach Level 26:

1. Resize terminal
2. SSH with key
3. Press 'v' in more
4. :set shell=/bin/bash
5. :shell

Pros: Reliable, works consistently Cons: Requires terminal resizing

Method 2: Vim Command Execution

If :shell doesn't work, try:

:!bash

or

:!/bin/bash

Pros: Simpler Cons: Might not work if restricted

Method 3: Vim Script Execution

Create a script and source it:

:r! echo '#!/bin/bash' > /tmp/shell.sh
:r! echo 'bash' >> /tmp/shell.sh
:!bash /tmp/shell.sh

Pros: More complex but might work Cons: Requires write access

For Level 26, use Method 1 β€” it's the most reliable.

🚨 Common Mistakes

Mistake 1: Terminal Too Large

Wrong: Terminal window is normal size, more displays everything and exits immediately.

Right: Make terminal very small so more paginates.

Why: more only enters pager mode when content doesn't fit on screen.

Mistake 2: Not Pressing 'v' in more

Wrong: Trying to type commands while in more pager mode.

Right: Press v to open Vim from more.

Why: more doesn't execute shell commands. You need Vim to escape.

Mistake 3: Not Setting Shell Variable

Wrong: Just using :shell without setting the shell variable first.

Right: Set :set shell=/bin/bash first, then :shell.

Why: The default shell might still be the restricted one. Setting it explicitly ensures you get bash.

Mistake 4: Closing the Shell

Wrong: Closing the terminal/shell session.

Right: Keep it open! You'll need it for Level 27.

Why: If you close it, you'll have to repeat the entire escape process.

Mistake 5: Not Understanding the Flow

Wrong thinking: "I'll just SSH in and get a shell."

Reality: The shell is restricted and exits immediately. You need to exploit more β†’ Vim β†’ set shell β†’ escape.

Solution: Understand each step: SSH β†’ more pager β†’ Vim β†’ set shell β†’ real shell.

πŸ’» Practice Exercise

Try these to reinforce what you learned:

  1. Understand more pager:

    # Make terminal small
cat /etc/passwd | more
# Press 'v' to open in Vim

  2. Practice Vim commands:

    vim test.txt
# In Vim:
# :e /etc/passwd  (open another file)
# :set shell=/bin/bash  (set shell)
# :shell  (spawn shell)

  3. Check shell in /etc/passwd:

    cat /etc/passwd | grep bandit26

  4. Understand restricted shells:

    # If you have rbash available
rbash
# Try to cd, modify PATH, etc.

πŸŽ“ Understanding Shell Escapes

This level introduces shell escape concepts:

What Is a Shell Escape?

Shell escape is breaking out of a restricted environment to get a full shell:

  1. Identify restriction β€” What's limiting you?
  2. Find escape vector β€” What can you exploit?
  3. Execute escape β€” Break out
  4. Verify shell β€” Confirm you have full access

Why Shell Escapes Matter

Understanding escapes is essential for:

  • Privilege escalation
  • Lateral movement
  • Maintaining access
  • Understanding security controls

The skill you're learning: How to identify and exploit restricted environments. This is fundamental for:

  • Penetration testing
  • Security research
  • Understanding system security
  • Developing defenses

πŸ”— What's Next?

Level 27 will likely build on this shell escape. You'll continue working with the shell you just obtained.

Before moving on, make sure you:

  • βœ… Understand what restricted shells are
  • βœ… Know how to identify non-standard shells
  • βœ… Can exploit more to get into Vim
  • βœ… Know Vim escape commands
  • βœ… Understand why terminal resizing matters
  • βœ… DON'T CLOSE YOUR SHELL!

πŸ“š Key Takeaways

After completing Level 26, you should understand:

  1. Restricted shells β€” Limited shell environments
  2. Shell identification β€” Checking /etc/passwd for shell type
  3. Pager exploitation β€” Using more to escape
  4. Vim exploitation β€” Using Vim to read files and spawn shells
  5. Creative problem-solving β€” Terminal resizing trick

🎯 Quick Reference

ConceptExplanationExample
Restricted shellLimited shell environmentrbash, custom shells
/etc/passwdUser account infocat /etc/passwd | grep user
more pagerFile pagermore file.txt, press v
Vim shellSpawn shell from Vim:set shell=/bin/bash then :shell
Terminal resizeMake window smallTriggers pager mode

πŸ” Advanced: Understanding Shell Internals

If you want to go deeper, here's how shells work:

Shell Execution

When you log in:

  1. System reads /etc/passwd
  2. Finds your shell (last field)
  3. Executes that shell
  4. Shell runs initialization files
  5. Shell presents prompt

In Level 26: Instead of /bin/bash, it's /usr/bin/showtext (a script).

Environment Variables

Shell-related variables:

  • SHELL β€” Current shell
  • TERM β€” Terminal type
  • PATH β€” Command search path
  • HOME β€” Home directory

In Vim:

  • :set shell=/bin/bash β€” Changes shell variable
  • :shell β€” Spawns shell using that variable

Restricted Shell Features

What rbash restricts:

  • Can't change directories
  • Can't modify PATH
  • Can't redirect output
  • Can't execute certain commands
  • Can't set environment variables

Escape methods:

  • Exploit pagers/editors
  • Find binaries with shell escape
  • Use scripting languages
  • Exploit SUID binaries

Questions about Level 26, restricted shells, or Vim exploitation? Reach out directly:

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice

Found this helpful? Share it:

Share:𝕏inβ¬‘βœ‰

Need Help With This?

Have questions about implementing these security practices? Let's discuss your specific needs.

Get in Touch

More in Educational

Explore more articles in this category.

Browse 🧠 Educational

Related Articles