Given:
To gain access to the next level, you should use the setuid binary in the home directory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
- ssh into bandit 19 using the password from the previous level
So what is setuid?
setuid (short for “set user ID”) allows users to run an executable with the file system permissions of the executable’s owner or group respectively and to change behaviour in directories.
bandit19@bandit:~$ ls -la
total 28
drwxr-xr-x 2 root root 4096 May 7 2020 .
drwxr-xr-x 41 root root 4096 May 7 2020 ..
-rwsr-x — — 1 bandit20 bandit19 7296 May 7 2020 bandit20-do
-rw-r — r — 1 root root 220 May 15 2017 .bash_logout
-rw-r — r — 1 root root 3526 May 15 2017 .bashrc
-rw-r — r — 1 root root 675 May 15 2017 .profileso that means basically you can exploit the property of setuid and run commands here bandit20-do as bandit20.
“Execute it without arguments to find out how to use it.”
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do idWhen running a command with ./bandit20-do our effective user id is that of bandit20.
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)when simply running user id, we are bandit19 only.
bandit19@bandit:~$ id
uid=11019(bandit19) gid=11019(bandit19) groups=11019(bandit19)Therefore we can exploit this property of setuid and run the command as bandit20
Now, let's see who can see the password of bandit 20.
The passwords are stored in the /etc/bandit_pass
let’s cd into the /etc/bandit_pass
bandit19@bandit:/etc/bandit_pass$ ls -la | grep bandit20
-r — — — — 1 bandit20 bandit20 33 May 7 2020 bandit20Here, we can see only bandit20 can see the password.
Let’s view the password by exploiting the setuid property.
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v*****Vje5f0j