π OverTheWire Bandit Level 33: Escaping Uppercase Shell Using Positional Parameters
Level 33 introduces positional parameters and shell escapingβteaching you how to escape from a restricted uppercase shell by using $0 to access a regular shell. This level builds on shell escape techniques from earlier levels but introduces a new method using positional parameters.
Level 33 teaches you:
- Understanding positional parameters ($0, $1, $2, etc.)
- Escaping restricted shells
- Using $0 to access regular shell
- Understanding how shells handle commands
- Bypassing uppercase command restrictions
If you've made it this far, you understand file operations, scripting, privilege escalation, and Git. Now you're learning about positional parametersβa fundamental shell concept that can help escape restricted environments.
π― The Objective
After logging into bandit32, you're greeted with "WELCOME TO THE UPPERCASE SHELL." Your goal is to escape this restricted shell and find the password for Level 33.
What Level 33 teaches:
- Understanding positional parameters
- Escaping uppercase shell restrictions
- Using $0 to access regular shell
- Understanding shell command processing
- Bypassing restricted environments
The challenge: The shell converts all commands to uppercase, making normal commands like ls fail. You need to use positional parameters (specifically $0) to escape to a regular shell.
π Understanding the Problem
Let's start by connecting to Level 32:
sshpass -p `cat bandit32` ssh bandit32@bandit.labs.overthewire.org -p 2220
What you'll see:
WELCOME TO THE UPPERCASE SHELL.
>>
The problem: When you try to use normal commands, they fail because the shell converts everything to uppercase. For example:
lsbecomesLS(command not found)catbecomesCAT(command not found)- Even
LSdoesn't work
The solution: Use $0 (a positional parameter) to escape to a regular shell.
π§ Understanding Positional Parameters
Here's what's happening: Positional parameters are special variables that hold arguments passed to a script or shell. $0 refers to the script or shell itself, and executing it can give you a regular shell.
How Positional Parameters Work
Positional parameters are:
$0β The script or shell name itself$1β First argument$2β Second argument$3β Third argument- And so on...
Why this matters:
$0can reference the shell executable- Executing
$0can spawn a new shell - New shell might not have the same restrictions
- This is a common escape technique
Understanding $0
$0 contains:
- The name of the script being executed
- The name of the shell being used
- The command that started the current process
In Level 33: $0 contains the path to a regular shell (like /bin/bash or /bin/sh), and executing it gives you a shell without the uppercase restriction.
Why This Escapes the Uppercase Shell
The uppercase shell:
- Intercepts commands before execution
- Converts commands to uppercase
- Prevents normal command execution
- Is likely a wrapper script
Using $0:
- References the underlying shell
- Bypasses the wrapper script
- Spawns a new shell instance
- New shell doesn't have uppercase restriction
π Step-by-Step Walkthrough
Step 1: Connect to Level 32
sshpass -p `cat bandit32` ssh bandit32@bandit.labs.overthewire.org -p 2220
Step 2: Observe the Uppercase Shell
When you connect, you'll see:
WELCOME TO THE UPPERCASE SHELL.
>>
Notice: The prompt is >> instead of the normal $ or #.
Step 3: Try Normal Commands
Try using normal commands:
ls
What you'll see:
sh: 1: ls: not found
The problem: The shell converted ls to LS, which doesn't exist.
Step 4: Try Uppercase Commands
Try using uppercase commands:
LS
What you'll see:
sh: 1: LS: not found
Still doesn't work: Even uppercase commands fail.
Step 5: Use $0 to Escape
Execute $0 to escape to a regular shell:
$0
What you'll see:
$
Success! You now have a regular shell prompt ($ instead of >>).
Step 6: Verify Normal Commands Work
Now try normal commands:
ls
What you'll see: Normal directory listing! Commands work now.
Step 7: Get the Password
Now you can read the password file:
cat /etc/bandit_pass/bandit33
What you'll see: The password for Level 33.
Step 8: Save the Password
Copy the password and save it:
On Linux/macOS:
echo "PASSWORD_HERE" > bandit33
On Windows (PowerShell):
"PASSWORD_HERE" | Out-File -FilePath bandit33 -NoNewline
Step 9: Connect to Level 33
sshpass -p `cat bandit33` ssh bandit33@bandit.labs.overthewire.org -p 2220
π‘ Understanding Positional Parameters in Depth
Let's dive deeper into positional parameters:
Positional Parameter Structure
In a script or shell:
$0β Script/shell name$1β First argument$2β Second argument$#β Number of arguments$@β All arguments$*β All arguments (as single string)
Example:
./myscript.sh arg1 arg2 arg3
In the script:
$0=./myscript.sh$1=arg1$2=arg2$3=arg3$#=3
Understanding $0 in Different Contexts
In a script:
$0= Script filename
In an interactive shell:
$0= Shell executable path (e.g.,/bin/bash)
In Level 33:
$0= Path to regular shell (likely/bin/bashor/bin/sh)- Executing it spawns a new shell without restrictions
Why $0 Escapes Restricted Shells
Restricted shells often:
- Are wrapper scripts
- Intercept commands
- Apply restrictions
- Don't restrict
$0access
Using $0:
- References the underlying shell
- Bypasses wrapper restrictions
- Spawns unrestricted shell
- Gives you full shell access
π Real-World Context
Why does this matter in penetration testing?
Shell escaping is a critical skill for privilege escalation and lateral movement:
1. Escaping Restricted Shells
In real assessments, you might encounter:
- Restricted shells in applications
- Wrapper scripts with limitations
- Custom shells with restrictions
- Environments that limit command execution
The technique: Same as Level 33βuse $0 or other positional parameters to escape restricted shells.
2. Common Restricted Shell Scenarios
Where restricted shells appear:
- Web application shells
- SSH restricted environments
- Application wrappers
- Containerized environments
- Custom service shells
Why they're used:
- Limit user capabilities
- Prevent system access
- Control command execution
- Enforce security policies
Why they can be escaped:
- Often implemented as wrappers
- Don't restrict all shell features
- Positional parameters still work
- Can spawn new shells
3. Real-World Examples
Common scenarios:
- Web application with restricted shell
- SSH with limited command set
- Application wrapper script
- Container with restricted shell
The skill you're learning: How to escape restricted shells using positional parameters. This is essential for:
- Privilege escalation
- Lateral movement
- Bypassing security controls
- Gaining full shell access
π οΈ Alternative Methods
Here are different ways to escape restricted shells:
Method 1: $0 (Recommended for Level 33)
$0
Pros: Simple and direct Cons: Might not work if $0 is restricted
Method 2: $SHELL
$SHELL
Pros: Uses SHELL environment variable Cons: Might not be set or might be restricted
Method 3: /bin/bash or /bin/sh
/bin/bash
# or
/bin/sh
Pros: Direct path to shell Cons: Path might be restricted or different
Method 4: Using Command Substitution
`echo /bin/bash`
Pros: Bypasses some restrictions Cons: More complex, might be blocked
Method 5: Using exec
exec /bin/bash
Pros: Replaces current shell Cons: Might not work in all contexts
For Level 33, use Method 1 β $0 is the intended solution.
π¨ Common Mistakes
Mistake 1: Not Understanding the Problem
Wrong: Trying commands repeatedly without understanding why they fail.
Right: Recognize that commands are being converted to uppercase, so you need to escape the shell.
Why: Understanding the restriction helps you find the right escape method.
Mistake 2: Not Knowing About $0
Wrong: Not knowing what $0 is or how to use it.
Right: Understand that $0 is a positional parameter that references the shell itself.
Why: $0 is a common escape technique for restricted shells.
Mistake 3: Trying $0 with Wrong Syntax
Wrong: Using echo $0 instead of executing $0.
Right: Execute $0 directly to spawn a new shell.
Why: echo $0 just prints the value. Executing $0 runs it as a command.
Mistake 4: Not Recognizing the Escape Worked
Wrong: Escaping successfully but not noticing the prompt changed.
Right: Notice that the prompt changes from >> to $, indicating you have a regular shell.
Why: The prompt change confirms the escape worked. You can now use normal commands.
Mistake 5: Overcomplicating It
Wrong thinking: "I need complex shell scripting or special tools."
Reality: Just execute $0βit's that simple.
Solution: Keep it simple. $0 is the direct solution.
π» Practice Exercise
Try these to reinforce what you learned:
-
Understand positional parameters:
echo $0 echo $1 echo $# -
Test $0 in different contexts:
$0 echo $SHELL -
Understand shell escaping:
# In a restricted environment, try: $0 /bin/bash $SHELL
π Understanding Shell Escape Techniques
This level introduces shell escape concepts:
Why Shell Escaping Matters
Security implications:
- Restricted shells are common security controls
- Escaping can lead to privilege escalation
- Understanding escape techniques is essential
- Many systems rely on shell restrictions
Common Escape Techniques
Positional parameters:
$0β Reference to shell itself$SHELLβ Environment variable- Direct paths β
/bin/bash,/bin/sh
Command execution:
- Command substitution β
`command` - Variable expansion β
$VAR - Path manipulation β Using different paths
The skill you're learning: How to escape restricted shells using positional parameters. This is essential for:
- Privilege escalation
- Penetration testing
- Understanding shell security
- Bypassing security controls
π What's Next?
Congratulations! You've completed Level 33. At the time of writing, Level 34 doesn't exist yet in the OverTheWire Bandit wargame. You've learned valuable skills about shell escaping and positional parameters that will serve you well in real-world penetration testing.
Before moving on, make sure you:
- β Understand positional parameters
- β
Know what
$0is and how to use it - β Can escape restricted shells
- β Understand why shell escaping works
- β Know common escape techniques
π Key Takeaways
After completing Level 33, you should understand:
- Positional parameters β Special variables ($0, $1, $2, etc.)
- $0 β References the script or shell itself
- Shell escaping β Using $0 to escape restricted shells
- Uppercase shell β A restricted shell that converts commands
- Escape techniques β How to bypass shell restrictions
π― Quick Reference
| Concept | Explanation | Example |
|---|---|---|
| $0 | Script/shell name | $0 |
| $1 | First argument | $1 |
| $# | Number of arguments | $# |
| Positional parameters | Special variables | $0, $1, $2... |
| Shell escape | Bypassing restrictions | $0 to get regular shell |
π Advanced: Understanding Restricted Shells
If you want to go deeper, here's restricted shell security:
Types of Restricted Shells
Common restrictions:
- rbash β Restricted bash
- rsh β Restricted shell
- Custom wrappers β Application-specific shells
- chroot β Root directory restrictions
Why they're used:
- Limit user capabilities
- Prevent system access
- Control command execution
- Enforce security policies
Escaping Restricted Shells
Common techniques:
- Use
$0to spawn new shell - Use
$SHELLenvironment variable - Direct path to shell (
/bin/bash) - Command substitution
- Variable expansion
In Level 33: The uppercase shell is a wrapper that converts commands. Using $0 bypasses the wrapper and spawns a regular shell.
Questions about Level 33, positional parameters, or shell escaping? Reach out directly:
- Email: m1k3@msquarellc.net
- Phone: (559) 670-3159
- Schedule: Book a free consultation
M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice