OverTheWire: Bandit Level 19 → Level 20
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
Helpful Reading Material
The Unix access rights flags setuid and setgid (short for "set user ID" and "set group ID") allow users to run an…
We have been told there is an binary file that is present in the home directory which somehow can help us to access the password of bandit20. Lets have a look at the binary
bandit20-dobandit19@bandit:~$ ls -l
-rwsr-x--- 1 bandit20 bandit19 7296 May 7 2020 bandit20-do
We can see that the file is called
bandit20-do and when we list the details of the file we can see that the binary file can be executed by the current user (bandit19) and it is owned by bandit20
To run an executable file we just need to specify its name along with the location. The file is in the current working directory so we can use
./<filename> to access the file
Run a command as another user.
Example: ./bandit20-do id
The file tells us that it allows us to run a command as another user. Lets see an example of running an command as another user using the id command
uid=11019(bandit19) gid=11019(bandit19) groups=11019(bandit19)bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
We observe that when we use the binary file we are assigned the uid for bandit20 as well which means we can run commands as if we are bandit20
Now that we know we can run commands as bandit20 so lets use the binary to access the password of user bandit20
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
We have found the password for the next level !!!
Logout of the current session and start the next level using the password of bandit20
> ssh email@example.com -p 2220
This is a OverTheWire game server. More information on http://firstname.lastname@example.org's password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j