level3@blowfish:~$ /bin/ls
-rbash: /bin/ls: restricted: cannot specify `/' in command names
This stinks! So after doing some research on bypassing rbash, it appears if we can invoke a different shell, bash/sh, we are free to go. The only problem is that we cannot give it a full path to the binary and issuing the "sh" command doesn't seem to work. So let's check our PATH envar and see if we can edit it.
level3@blowfish:~$ echo $PATH
/home/rbash
level3@blowfish:~$ export PATH=/bin
-rbash: PATH: readonly variable
Doh! It doesn't seem like we can edit it. After some thinking, I wondered if I can invoke the perl command and launch the "sh" command via the system() function.
 |
| Getting shell |
Perfect! Now that we've gained shell, we still need to find a backdoor onto the next level. Like the previous challenge, I'll just use find to see any suid binaries owned by level4 and complete the challenge.
SPOILER! Highlight below to view the password:
n3xt_l3v3l!
