Concept
Shell Escape (Insecure Shell Wrapper): Some restricted environments use “wrappers” that process user input before execution. In this case, the wrapper converted everything to uppercase, preventing the execution of standard Linux commands (which are almost entirely lowercase). However, special environment variables like $0 are unaffected by uppercase conversion.
Key Commands
$0: In Unix systems, this variable contains the name of the program currently being executed (usually the current shell)./etc/bandit_pass/bandit33: The standard location for the final password.
Walkthrough / Resolution
- Analysis: Upon entering Level 32, any command like
lsorcatfailed because it was transformed intoLSorCAT. - Identification: It was detected that the system used a “Positional Parameters” technique. In Bash,
$0invokes the executable that started the current session. - Evasion: Simply entering
$0bypassed the filter. Since the$symbol and the number0do not have uppercase equivalents, the filter could not alter them. - Escape: The system executed the command stored in
$0, which opened a conventional shell (sh) free from uppercase restrictions. - Extraction: Once in the normal shell,
cat /etc/bandit_pass/bandit33was executed to retrieve the key.
Key Takeaways / Lessons Learned
Relying on simple text filters (like forcing uppercase) to restrict a shell is a severe vulnerability. There are always environment variables or special characters that the filter overlooks. As an attacker, testing internal system variables like $0, $SHELL, or env is the first step in performing a shell breakout (jailbreak).
Pass 33
tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0