Bandit Level 27 Walkthrough

Level 26 ➔ Level 27: Leveraging Execution Privileges

1. My Objective

I have successfully "broken out" of the restricted shell using the terminal resizing trick from the previous level. I am now sitting in a real /bin/bash session as bandit26. My goal is simple: find and read the password for bandit27. However, I still don't have the permission to read /etc/bandit_pass/bandit27 directly. I need to find a tool that can.

The Current State: The hard work was escaping the cage. Now that I am free in the file system, I need to look for a setuid binary (similar to the one in Level 19) that belongs to the user bandit27.

2. The Feynman Explanation: The Official Proxy

How do I get a secret document if the clerk only hands it to authorized personnel? I find someone who is authorized and tell them to go get it for me.

The Courier Analogy:

Imagine I want to read a private letter stored in a vault. The guards (the Linux Kernel) won't let me in because I don't have the right badge.

However, there is a Courier (the setuid binary) standing in the lobby. This Courier has a permanent badge that allows him into the vault. The Courier says: "I will do exactly one task for anyone who asks."

I tell the Courier: "Go into the vault and read the letter out loud." Because the Courier is doing the work, the guards let him through. He sees the secret and repeats it to me. This is what bandit27-do does—it acts as a Courier for the user bandit27, allowing me to "reach" into their private files.

3. Practical Solution

Once I have my interactive bash shell open (from the Level 26 escape), I perform the following steps:

# Step 1: Look for the tool in my home directory
bandit26@bandit:~$ ls -l
-rwsr-x--- 1 bandit27 bandit26 ... bandit27-do

# Step 2: Use the tool to run 'cat' on the next password file
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27

# The Courier returns with the prize:
Yn96Ng6pE6vSAr4S019SAb36906sV... (The Password Revealed!)

Why did this work?

The file bandit27-do is owned by bandit27 and has the setuid bit enabled (the 's' in -rwsr-x---). When I execute it, the system grants it the permissions of the owner. Therefore, it has the right to read the password file in /etc/bandit_pass/ and display it to my screen.

🚀 My Pro Tips: Reusing Skills

✨ Recognizing setuid

I always keep my eyes peeled for that 's' in the ls -l output. In many Capture The Flag (CTF) challenges, finding a setuid binary is the "Golden Key" that allows you to escalate your privileges from a normal user to a more powerful one or even root.

⭐ The 'id' Command

If I'm ever unsure whose permissions a program is using, I use the id command through the binary:
./bandit27-do id
This will show me the **Effective User ID (EUID)**, confirming that the program is indeed running as bandit27.

🔍 Don't Close the Shell!

Since the escape in Level 26 was tricky, I make sure to copy the password carefully before typing exit. If I lose it, I have to go through the whole resizing and vi escape process all over again.

4. Why this matters

I see this behavior in the real world with commands like sudo. When I type sudo command, I am essentially using a setuid binary (the sudo program) to execute a task with the permissions of the root user. Understanding that permissions are not just tied to *who* you are, but also to the *program* you are running, is a fundamental concept in Linux security architecture.

Password Claimed!

I've successfully delegated my command to a privileged binary. I'll save this password and move on to Level 27 ➔ Level 28, where I will start interacting with Git repositories!

Tags: #Linux #Bandit #OverTheWire #setuid #Permissions #PrivilegeEscalation #Bash #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips