Post

OverTheWire Bandit: Level 18 to Level 19

OverTheWire Bandit: Level 18 to Level 19

The Goal

The password is in a file called readme in the home directory. The problem: .bashrc has been modified to log you out immediately when you SSH in, before you can run any commands.

What I Did

Normal SSH login would drop me straight back out because of the modified .bashrc. The fix is to tell SSH to run a specific command directly instead of starting an interactive shell:

1
ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"

It prompted for the password exactly like every other level. After entering it, instead of dropping into a shell, it ran cat readme directly, printed the password, and disconnected.

Why This Works

.bashrc is a script that runs every time bash starts an interactive shell. When you SSH in normally, the server authenticates you and then starts an interactive bash session — which reads and executes .bashrc. If that file has been modified to immediately log you out, you never get a chance to type anything.

But SSH supports passing a command as an argument:

1
ssh user@host "command"

When you do this, SSH connects, authenticates, and instead of starting an interactive shell, it runs that one command directly on the remote machine, returns the output, and closes the connection. Because no interactive shell is started, .bashrc is never read or executed at all.

Where the Confusion Was

I initially thought passing a command after the hostname would also skip the password prompt — it doesn’t. The password prompt is part of the SSH authentication handshake, handled by the SSH client and server before anything else happens. Whether you’re requesting an interactive shell or asking SSH to run one specific command, authentication happens first and exactly the same way. The only thing that changes is what happens after you’re authenticated — full shell versus single command.

What I Learned

.bashrc only runs for interactive shells. Non-interactive command execution through SSH bypasses it entirely. This is a useful technique any time a shell’s startup files are broken, modified, or you simply don’t need a full interactive session.

SSH authentication and shell startup are separate steps. Authentication confirms who you are. Shell startup is what happens afterward to give you a working environment. Bypassing the shell doesn’t bypass authentication — they’re independent.

Running remote commands without an interactive shell is also how automated scripts and tools commonly interact with remote servers — connect, run one command, get the result, disconnect. No persistent session needed.

Commands Used

CommandWhat it did
ssh bandit18@... -p 2220 "cat readme"Authenticated normally, then ran cat readme directly instead of starting an interactive shell, bypassing the broken .bashrc
This post is licensed under CC BY 4.0 by the author.