Host name is bandit.labs.overthewire.org
User: bandit19
password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Goal: To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
file - determine file type
cat - used to view contents of a file.
cd - change directory
Step 1.
After logging in type ls
You will see bandit20-do
Step 2.
Let's see what kind of file it is.
Type file bandit20-do
We see that it's a setuid ELF 32-bit LSB executable.
Step 3.
Let's get more info on the file.
Type ls -l
We see this output for our file.
-rwsr-x--- 1 bandit20 bandit19 7370 Nov 14 10:32 bandit20-do
We can break this down as follows:
- -rwsr-x--- permissions
- 1 : number of linked hard-links
- bandit20: owner of the file
- bandit19: to which group this file belongs to
- 7370: size
- Nov 14 10:32 modification/creation date and time
- bandit20-do: file/directory name
This means we, being user bandit19 can read and execute the file. Lets try running the file the way it is stated in the goal to see if we can find out how to use it to set our uid to bandit20.
Type ./bandit20-do (the ./ in front means current directory)
We get an out put of :
Run a command as another user.
Example: ./bandit20-do id
Step 4.
Let's try running the command again with the example.
Type ./bandit20-do id
We get the output of:
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19)
uid is user id
gid is group id
euid is effective user id
groups is groups it belongs to
euid is used for permission checks in Linux. We cant just change to any EUID unless we are root.
Here are the rules:
- Changing to SUID or RUID is always ok
- If you are root (UID 0), you can change to any UID. This will set both EUID, RUID and SUID.
- Changing from root to any other UID
- RUID is set to according to your login.
- EUID is different from RUID only when running Set UID programs, like su
The point is that a Set UID program can switch between the UID of the user who invoked it (that would be us bandit19), and the owner of the executable (bandit20). Let's do one more thing and check the help info of the command.
Type ./bandit20-do --help
We get an output stating:
Set each NAME to VALUE in the environment and run COMMAND.
Step 5.
Let's run our bandit20-do with a cat command to where we are told the file is located (/etc/bandit_pass) and see if it let's us view the file.
Type ./bandit20-do cat /etc/bandit_pass
We are told that /etc/bandit_pass: Is a directory
Let's change to /etc/bandit_pass and see what the directory contains for files and pick what file we actually want to view.
Step 6.
Type cd /etc/bandit_pass
Then do an ls -l
It shows that bandit20 is the owner of the bandit20 file so let's go back to where our bandit20-do file is and run it again with bandit20 as our file to view.
Step 7.
Type cd ~
Then type ./bandit20-do cat /etc/bandit_pass/bandit20 and we get our password for the next level: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
No comments:
Post a Comment