Level 19 – bandit – overthewire
“To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.”
bandit19@bandit:~$ ls -la total 28 drwxr-xr-x 2 root root 4096 Dec 28 2017 . drwxr-xr-x 42 root root 4096 Jul 22 18:42 .. -rw-r--r-- 1 root root 220 Sep 1 2015 .bash_logout -rw-r--r-- 1 root root 3771 Sep 1 2015 .bashrc -rw-r--r-- 1 root root 655 Jun 24 2016 .profile -rwsr-x--- 1 bandit20 bandit19 7408 Dec 28 2017 bandit20-do bandit19@bandit:~$ ./bandit20-do Run a command as another user. Example: ./bandit20-do id bandit19@bandit:~$ ./bandit20-do id uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19) bandit19@bandit:~$ cat /etc/bandit_pass/bandit20 cat: /etc/bandit_pass/bandit20: Permission denied bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Printing the contents of the home directory reveals an executable, ‘bandit20-do’, with setuid flag set. Running the command without passing an argument reveals a bit of information into the programs function.
If you are unfamiliar with setuid and its function you need to read up about it. Providing the argument ‘cat /etc/bandit_pass/bandit20’ to the bandit20-do program allows us temporary access to bandit20’s password file under the effective user id of bandit20.