Bandit19->20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
Commands useful to solve the level
Helpful Reading Material
- setuid on wikipedia
- setUID and getUID bits
- Difference between euid and uid StackOverflow Discussion
Where to start?
The only thing we have in our directory is an executable called bandit20-do, the instructions for this level tell us that we should
execute it without arguments to find out how to use it.
Part 1 : Using the setuid binary
When running the executable without arguments, we see the following :
Run a command as another user.
Example: ./bandit20-do id
Hint
Using the example of the bandit20-do executable, can you figure out the command
to execute to print the bandit20 password to stdout?
Solution
When running the example, we can see the following output :
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
bandit19@bandit:~$
By running the stat
command on the file /etc/bandit_pass/bandit20 we see the following output :
File: /etc/bandit_pass/bandit20
Size: 33 Blocks: 8 IO Block: 4096 regular file
Device: 10301h/66305d Inode: 517599 Links: 1
Access: (0400/-r--------) Uid: (11020/bandit20) Gid: (11020/bandit20)
Access: 2024-06-04 21:38:04.747961484 +0000
Modify: 2023-10-05 06:19:06.591227890 +0000
Change: 2023-10-05 06:19:06.595227900 +0000
Birth: 2023-10-05 06:19:06.591227890 +0000
bandit20-do executable, we are the user bandit20. We can thus cat this file and retrieve
the password string.Here is the final command :
./bandit20-do cat /etc/bandit_pass/bandit20
Full Solution
./bandit20-do cat /etc/bandit_pass/bandit20to print the password string on stdout.
You can now jump to the next level