Bandit Level 26 → 27
Login: ssh bandit26@bandit.labs.overthewire.org -p 2220
Password: s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ
task
Good job getting a shell! Now, there is a setuid binary in the homedirectory that does things for the next user. Find out how to use it to get the password.
theory lil bit
- SUID (Set User ID): Sometimes executables are configured to run with the permissions of the user who owns the file, rather than the user who runs the file. This script is owned by
bandit27and has the SUID bit set, meaning any command we pass into it will be executed withbandit27's privileges.
my approach / solution
1. Inspect the home directory: Right after breaking out of the Vim shell from the previous level, I checked what was sitting in the home directory.
bandit26@bandit:~$ ls bandit27-do text.txt
2. Figure out the binary:
I ran the bandit27-do executable without any arguments to see if it had a help menu or expected syntax. It clearly stated it runs commands as another user.
bandit26@bandit:~$ ./bandit27-do Run a command as another user. Example: ./bandit27-do id
3. Test the execution:
I ran the example command to verify it was working as intended. The output showed my effective user ID (euid) successfully shifted to bandit27.
bandit26@bandit:~$ ./bandit27-do id uid=11026(bandit26) gid=11026(bandit26) euid=11027(bandit27) groups=11026(bandit26)
4. Capture the password:
Since I now had a direct way to execute commands as bandit27, I used the binary to read the protected password file for the next level.
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27 upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB
<!-- truncate -->
