- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
Bandit Level 20 Walkthrough
Level 19 ➔ Level 20: Understanding the Power of setuid
1. My Objective
I am currently logged in as bandit19. My goal is to read the password for the next level located at /etc/bandit_pass/bandit20. However, as bandit19, I don't have permission to even touch that file. I am given a "setuid binary" in my home directory. I need to figure out how to use this program to act as bandit20 and read the restricted file.
The Fundamental Concept: In Linux, permissions usually follow the user. If I run a program, it has my permissions. A setuid file is an exception—it runs with the permissions of the file owner, regardless of who starts it.
2. The Feynman Explanation: The Master Key Robot
How can I open a safe if I don't have the combination? I find someone who does, or in this case, a special tool they left behind.
The Manager's Robot Analogy:
Imagine I work in a warehouse. I have a key that opens the front door, but I don't have the key to the Manager's Office.
However, the Manager has left a Special Robot (the setuid binary) in the hallway. This robot has the Manager's fingerprint programmed into it. The Manager says: "Anyone can talk to this robot and tell it to do one task."
If I tell the robot to "Go into the office and read that memo," the robot can walk right through the door because it has the Manager's Identity. Even though I gave the order, the Robot used the Manager's permissions to complete the task. This is exactly what a setuid binary does—it allows a low-privilege user (me) to perform a high-privilege task (reading the password) by "borrowing" the owner's identity.
3. Practical Solution
I start by examining the files in my home directory. I see a file named bandit20-do. I will check its permissions and then use it to read the password.
# Step 1: Look at the file permissions
bandit19@bandit:~$ ls -l
-rwsr-x--- 1 bandit20 bandit19 ... bandit20-do
# Notice the 's' in -rwsr-x---. That 's' means 'setuid'.
# The owner is bandit20. So this binary runs as bandit20!
# Step 2: Run it without arguments to see how it works
bandit19@bandit:~$ ./bandit20-do
Run a command as another user. Example: ./bandit20-do id
# Step 3: Use it to read the password for bandit20
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
VxCaz929SAb36906sV... (The Password appears!)
bandit19@bandit:~$ ls -l
-rwsr-x--- 1 bandit20 bandit19 ... bandit20-do
# Notice the 's' in -rwsr-x---. That 's' means 'setuid'.
# The owner is bandit20. So this binary runs as bandit20!
# Step 2: Run it without arguments to see how it works
bandit19@bandit:~$ ./bandit20-do
Run a command as another user. Example: ./bandit20-do id
# Step 3: Use it to read the password for bandit20
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
VxCaz929SAb36906sV... (The Password appears!)
Why did this work?
When I ran cat /etc/bandit_pass/bandit20 normally, the system said "Permission Denied" because I am bandit19. But when I ran it through ./bandit20-do, the operating system treated the request as if it were coming from bandit20. Since bandit20 owns their own password file, the system allowed the cat command to succeed.
🚀 My Pro Tips: Identifying setuid Risks
✨ Spotting the 's' bit
I always look for the small 's' in the execution bit when I run ls -l. If the 's' is lowercase, it means it is set and executable. If it's a capital 'S', it's set but NOT executable (which is usually a mistake). In a security audit, I search for all setuid files on a system using:
find / -perm -4000 2>/dev/null
⭐ The Danger of Shell Injection
I must be careful when writing setuid scripts. If a setuid program allows me to run any command (like bandit20-do), it is essentially a backdoor. If a program is owned by root and has setuid, I could use it to become a superuser and take over the entire machine.
🔍 setuid vs setgid
Just like setuid (Set User ID), there is also setgid (Set Group ID). It shows up as an 's' in the group permission section and allows me to borrow the permissions of a specific group instead of a specific user.
4. Why this matters
I see setuid binaries every time I use Linux. Common commands like passwd (to change your password) or sudo must have setuid to function. They need to modify protected system files that you, as a normal user, can't touch. Understanding how this identity-swapping works is critical for both securing a system and finding vulnerabilities in one.
Access Elevated!
I've successfully used a setuid binary to bypass file permissions. I'll save the password and move on to Level 20 ➔ Level 21, where I will deal with multi-terminal networking!
Tags: #Linux #Bandit #OverTheWire #setuid #Permissions #PrivilegeEscalation #SysAdmin #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips
- Get link
- X
- Other Apps
Devoted to excellence as a Software Engineer
Comments
Post a Comment