Level: 0→1
Level: 1→2
Level: 2→3
Level: 3→4
Level: 4→5
Level: 5→6
Level: 6→7
Level: 7→8
Level: 8→9
Level: 9→10
Level: 10→11
Level: 11→12
Level: 12→13
Level: 13→14
Level: 14→15
Level: 15→16
Level: 16→17
Level: 17→18
Level: 18→19
Level: 19→20
Level: 20→21
Level: 21→22
Level: 22→23
Level: 23→24
Level: 24→25
Level: 25→26
Level: 26→27
Level: 27→28
Level: 28→29
Level: 29→30
Level: 30→31
Level: 31→32
Level: 32→33
Level: 33→34

~ Level 19→20 ~

Level Description

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

There are no commands recommended for this level. There is a link to a Wikipedia article on setuid

Research Before Solving

The Wikipedia article provides information about setuid and setgid. The article specifically states there are security risks associated with using setuid on executable files. The term execute is stated within the level documentation.

Solution Walkthrough

Log in to the OverTheWire server as user bandit19. Upon logging in we will use ls to list the files in the home directory.

We see a file with a red background titled bandit20-do. This color denotes a file with escalated priveleges. Next we can use ls -l to show the permissions for bandit20-do.

File Permissions

The dash at the beginning means the line item is a file instead of a directory. The next three letters; r for read, w for write, and s for setuid represent the permissions for the owner of the file who, in this instance, is bandit20. The s takes place of what is usually an x (execute) because setuid permissions have been enabled. The next three characters belong to the file's group, in this instance it is bandit19. Users within the group of bandit19 only have read and execute permissions. The final three dashes represent all other user's permissions. Dashes denote that a permission is not given while the letter signifies the permission is enabled.

We are told to execute the file with setuid permissions. To do so, type the following into the shell prompt: ./bandit20-do

Executing the file provides instructions. We are able to run a command as another user, the example lists the filename and id. Typing id --help we find that id is actually a command.

The level description told us that we can find the password in the usual place. Now that we know id is a command. Let's swap it out for a command that can read the file where the password is located. We will use this command next: ./bandit20-do cat /etc/bandit_pass/bandit20

output of last command showing password to bandit20

Our command was successful! The idea behind this is that while we run the file known as bandit20-do, it is as though we are user bandit20. Since the cat command was also executed during this time, we still had permissions as though we were user bandit20.

Save the password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j, exit out of the session, and move on to the next level.

Previous Level

Next Level