OverTheWire Bandit: Level 19 → Level 20

Context

Normally in Linux, when you run a program, it runs with your permissions. If you cannot read a file, neither can the program you run.

However, programs with the SUID (Set User ID) bit set are exceptions. These programs run with the permissions of the file owner. For example, passwd runs as root, allowing users to update their passwords (by writing to protected system files).

In this level, we are given a binary bandit20-do with the SUID bit set. Its owner is bandit20.

Goal

Use the bandit20-do binary to read the password file /etc/bandit_pass/bandit20, which we normally cannot access.

Solution

Step 1: Inspect the File

Let’s check the home directory:

ls -la

You will see a line like this: -rwsr-x--- 1 bandit20 bandit19 14876 ... bandit20-do

Owner: bandit20.
The s in permissions: SUID. This means whoever runs this program, the system treats them as bandit20 during its execution.

Step 2: Test the Program

Run it without arguments to see how it works:

./bandit20-do

Output: Run a command as another user. Example: ./bandit20-do id

It seems this program executes whatever command we give it distinctively as bandit20. It’s like a simplified sudo!

Let’s verify:

./bandit20-do id

Output: uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) ...

Note the euid (Effective User ID) is bandit20. To the system, we effectively are bandit20 right now.

Step 3: Get the Password

Since we have bandit20 privileges, we can simply cat the password file:

./bandit20-do cat /etc/bandit_pass/bandit20

Output:

GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Congratulations, you’ve just performed Privilege Escalation!

Key Takeaways

SUID (SetUID): Indicated by an s in file permissions. It grants the executor the temporary permissions of the file owner. This is critical for system security.
Effective UID: The identity the OS uses for permission checks, distinct from the real user ID.