OverTheWire: Bandit Level 19

Bandit Level 19 → Level 20

Level Goal: To gain access to the next level, you should use the setuid binary in the home directory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

➜  ~ ssh bandit19@bandit.labs.overthewire.org -p 2220
bandit19@bandit:~$ ls -la
total 28
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rwsr-x---  1 bandit20 bandit19 7408 Dec 28  2017 bandit20-do
bandit19@bandit:~$ file bandit20-do
bandit20-do: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=08e74b8e092a91103efaab7916d75f08b887ab4d, not stripped
bandit19@bandit:~$ ls -la bandit20-do
-rwsr-x--- 1 bandit20 bandit19 7370 Nov 14  2014 bandit20-do
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19)
bandit19@bandit:~$ ./bandit20-do whoami
bandit20
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
bandit19@bandit:~$

Notes:

What is SUID Permission?

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges.  Assume we are accessing the target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.

How to set suid?

Basically, you can change the permission of any file either using the “Numerical” method or “Symbolic” method. As a result, it will replace x from s as shown in the below image which denotes especial execution permission with the higher privilege to a particular file/command. Since we are enabling SUID for Owner (user) therefore bit 4 or symbol s will be added before read/write/execution operation.

If you execute ls -al with the file name and then you observe the small ‘s’ symbol as in the above image, then its means SUID bit is enabled for that file and can be executed with root privileges.

How to Find SUID Files

By using the following command you can enumerate all binaries having SUID permissions:

find / -perm -u=s -type f 2>/dev/null
  • / denotes  start from the top (root) of the file system and find every directory
  • -perm denotes search for the permissions that follow
  • -u=s denotes to look for files that are owned by the root user
  • -type states the type of file we are looking for
  • denotes a regular file, not the directories or special files
  • denotes to the second file descriptor of the process, i.e. stderr (standard error)
  • > means redirection
  • /dev/null is a special filesystem object that throws away everything written into it.

References: