Concept
SETUID (Set User ID) Binaries. A Unix mechanism that allows users to execute files with the privileges of the file’s owner. It is a powerful but dangerous tool if misconfigured (privilege escalation vulnerability).
Key Commands
ls -l: To identify thesbit in permissions (-rwsr-xr-x)../file [command]: Execution of the wrapper binary.
Walkthrough
- Ran
ls -land located thebandit20-dobinary, which belongs to userbandit20and has the SETUID bit active. - Executed:
./bandit20-do cat /etc/bandit_pass/bandit20I used this program as a “bridge” to execute thecatcommand on the next level’s password file, which I didn’t have direct access to, but the binary’s owner did.
How did I know the directory?
In Bandit, passwords are conventionally stored in /etc/bandit_pass/banditX. In a real-world scenario, you would:
- Read the program’s source code (if available).
- Use
strings bandit20-doto see what paths are hardcoded inside the binary. - Use intuition/standard paths.
Key Takeaways
I learned that Linux permissions go beyond “read, write, and execute.” Special bits like SETUID allow for temporary delegation of authority. I realized that if a SETUID binary allows executing arbitrary commands, it represents a massive security hole.
Pass 20
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO