Bandit Level 19 → 20
Login: ssh bandit19@bandit.labs.overthewire.org -p 2220
Password: cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8
task
The password for the next level is stored in /etc/bandit_pass/bandit20. To access it, you must use a SetUID binary located in the home directory called bandit20-do.
theory lil bit
- SetUID (Set User ID): This is a special type of file permission in Unix-like systems. When an executable with the SetUID bit is run, it executes with the privileges of the file's owner rather than the person running it.
- bandit20-do: In this level, this binary is owned by
bandit20. Because it has the SetUID bit set, any command we pass to it will be executed as thebandit20user. - Privilege Escalation: This is a classic example of using a legitimate (but powerful) utility to perform actions your current user isn't allowed to do—like reading a password file restricted to the next level's user.
solution
bandit19@bandit:~$ ls
bandit20-do
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do whoami
bandit19@bandit:~$ ./bandit20-do whoami
bandit20
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
<!-- truncate -->
