Post

Overthewire Bandit Level 19 -> 20

Posted Updated
By Michael McDonagh
2 min read

Solution for the Overthewire.org Bandit level 19 -> 20

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory.
Execute it without arguments to find out how to use it.
The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

Walkthrough

Login to the server using the password obtained from the previous level Bandit level 18 -> 19.

username: bandit19

1

ssh bandit19@bandit.labs.overthewire.org -p 2220

After logging in we check what is in the home directory. We can see a single file bandit20-do.
Running file on it tells us it is an executable file.

1
2
3
4
5

bandit19@bandit:~$ ls
bandit20-do

bandit19@bandit:~$ file bandit20-do 
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8e941f24b8c5cd0af67b22b724c57e1ab92a92a1, not stripped

We are told from the Level Goal that the file is a setuid file. A setuid (set user id) file allows a user to run commands with the permissions of the file owner or group.

Looking at the file owner and group we can see the owner is bandit20 and group is bandit19. Going by the who the file owner is and file’s name we can assume running bandit20-do will allow us to run commands as bandit20.

1
2
3
4
5
6
7
8
9

bandit19@bandit:~$ ls -al
total 28
drwxr-xr-x  2 root     root     4096 May  7  2020 .
drwxr-xr-x 41 root     root     4096 May  7  2020 ..
-rwsr-x---  1 bandit20 bandit19 7296 May  7  2020 bandit20-do
-rw-r--r--  1 root     root      220 May 15  2017 .bash_logout
-rw-r--r--  1 root     root     3526 May 15  2017 .bashrc
-rw-r--r--  1 root     root      675 May 15  2017 .profile
bandit19@bandit:~$

When we run the file it tells us how to use it correctly. The example given is the id command.
id is used to see what the current user and group ids are.
When we run id by itself we can see that uid, gid and group are bandit19.

However when we run ./bandit-20 id we get a new id, the euid(effective user id) is set to bandit20.
This means that the id command was run as user bandit20.

1
2
3
4
5
6
7
8
9

bandit19@bandit:~$ ./bandit20-do 
Run a command as another user.
  Example: ./bandit20-do id

bandit19@bandit:~$ id
uid=11019(bandit19) gid=11019(bandit19) groups=11019(bandit19)

bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)

Now that we can run commands as bandit20 we can simply read bandit20 password directly from /etc/bandit_pass/bandit20.

1
2

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksE##########################
OverTheWire, Bandit
overthewire bandit
This post is licensed under CC BY 4.0 by the author.