The password for the next level is stored in a file called readme in the home directory. However, there is a catch: someone has modified the .bashrc (or login profile) of the bandit18 user to log you out immediately upon login.
When I tried to log in normally using ssh bandit18@bandit.labs.overthewire.org, I saw a “Byebye!” message, and the connection closed instantly. This is a common trick where a script is set to run at login that terminates the session.
To bypass this, I needed to tell SSH to execute a specific command instead of starting the default interactive shell. By providing a command at the end of my SSH string, the server runs that command and then closes, bypassing the “logout” script in the profile.
Here is the command I used from my local terminal:
$ ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
By adding cat readme at the end, I told the server: “Don’t worry about giving me a prompt; just read that file and send the text back to me.” It worked perfectly, and the password was printed directly to my screen.
[SPOILER]
.bashrc and .profile files only affect interactive sessions, and providing a command directly can often bypass restrictions placed within them.