Level 19 – bandit – overthewire

Level Instructions:

“To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.”

bandit19@bandit:~$ ls -la
total 28
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rwsr-x---  1 bandit20 bandit19 7408 Dec 28  2017 bandit20-do
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
bandit19@bandit:~$ cat /etc/bandit_pass/bandit20
cat: /etc/bandit_pass/bandit20: Permission denied
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Printing the contents of the home directory reveals an executable, ‘bandit20-do’, with setuid flag set.  Running the command without passing an argument reveals a bit of information into the programs function.

If you are unfamiliar with setuid and its function you need to read up about it.  Providing the argument ‘cat /etc/bandit_pass/bandit20’ to the bandit20-do program allows us temporary access to bandit20’s password file under the effective user id of bandit20.