Objective:
Find the password
Intel Given:
- To gain access to the next level, you should use the setuid binary in the home directory. Execute it without arguments to find out how to use it.
- The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
How to:
For once the it looks like I have nothing to preach about before checking out the file that’s in our home directory, so let’s check it out!
Like the intel suggested there’s a file in our home directory, the next suggestion is to execute without arguments so let’s do that. Executing files on Unix systems is accomplished very simply by giving the path to the file. If you are in the current directory as the file this is simply used as typing ./, which you may remember invokes the path name up to the current directory. Which currently is /home/bandit19/.
If we wanted to execute the file while we were in another directory, for example the home directory, we would just give the path to the file, like so.
The file gives us an example to try running an argument so let’s try it.
Looks like we have a bunch of identifications numbers here. They are separated into a few different categories, let’s go over a few. Uid’s are user identification numbers and are unique to each users. Uids of normal users start at 1000 and are theoretically unlimited, user number 0 is root, 1-99 are reserved for other predefined accounts, and 100-999 are reserved for other system account and groups. gid is a group id, remember a few lessons ago when we had to change our ssh -key file permission to only us to be able to log on. We had to change them because we allowed people in our group access to our ssh-key file. If our group members have read permission it they could copy it, making it a not so private key. If they have write permission they could change something in our key file, rendering us unable to logon, and possibly causing us to never logon again.
An euid is also known as an effective user id. This is the one that is used when the system checks whether the user in question has sufficient permissions.
I have a feeling that the file that has the next password will only have read permission for bandit20 user, but let’s see.
Hmm permission denied, let’s see if we run our binary file what will happen
Looks like a password to the next level to me!
Conclusion:
Learned about user ids and effective user ids, file permissions, and how to run executables.