Bandit Level 19 → Level 20
Level Goal: To gain access to the next level, you should use the setuid binary in the home directory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
➜ ~ ssh email@example.com -p 2220 bandit19@bandit:~$ ls -la total 28 drwxr-xr-x 2 root root 4096 Dec 28 2017 . drwxr-xr-x 42 root root 4096 Jul 22 18:42 .. -rw-r--r-- 1 root root 220 Sep 1 2015 .bash_logout -rw-r--r-- 1 root root 3771 Sep 1 2015 .bashrc -rw-r--r-- 1 root root 655 Jun 24 2016 .profile -rwsr-x--- 1 bandit20 bandit19 7408 Dec 28 2017 bandit20-do bandit19@bandit:~$ file bandit20-do bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=08e74b8e092a91103efaab7916d75f08b887ab4d, not stripped bandit19@bandit:~$ ls -la bandit20-do -rwsr-x--- 1 bandit20 bandit19 7370 Nov 14 2014 bandit20-do bandit19@bandit:~$ ./bandit20-do Run a command as another user. Example: ./bandit20-do id bandit19@bandit:~$ ./bandit20-do id uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19) bandit19@bandit:~$ ./bandit20-do whoami bandit20 bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 GbKksEFF4yrVs6il55v6gwY5aVje5f0j bandit19@bandit:~$
What is SUID Permission?
SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges. Assume we are accessing the target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.
How to set suid?
Basically, you can change the permission of any file either using the “Numerical” method or “Symbolic” method. As a result, it will replace x from s as shown in the below image which denotes especial execution permission with the higher privilege to a particular file/command. Since we are enabling SUID for Owner (user) therefore bit 4 or symbol s will be added before read/write/execution operation.
If you execute ls -al with the file name and then you observe the small ‘s’ symbol as in the above image, then its means SUID bit is enabled for that file and can be executed with root privileges.
How to Find SUID Files
By using the following command you can enumerate all binaries having SUID permissions:
find / -perm -u=s -type f 2>/dev/null
- / denotes start from the top (root) of the file system and find every directory
- -perm denotes search for the permissions that follow
- -u=s denotes to look for files that are owned by the root user
- -type states the type of file we are looking for
- f denotes a regular file, not the directories or special files
- 2 denotes to the second file descriptor of the process, i.e. stderr (standard error)
- > means redirection
- /dev/null is a special filesystem object that throws away everything written into it.