OverTheWire Bandit: Level 26 → Level 27

Context

We have successfully escaped the restricted shell in the previous level and are now logged in as bandit26. However, the instructions for this level are unusually vague:

“Good job getting a shell! Now hurry and grab the password for bandit27!”

And the only suggested command is ls.

This level is a lesson in Enumeration: The art of exploring your environment to find tools or vulnerabilities when you don’t know exactly what to look for.

Solution

Step 1: Look Around (Enumeration)

Since the hint is ls, let’s check our home directory:

ls -l

You will see a file named bandit27-do. Let’s look closer at its permissions:

-rwsr-x--- 1 bandit27 bandit27 7268 May 7 2024 bandit27-do

Notice the s in the permissions (rws). This stands for SetUID (SUID). It means that when you run this program, it executes with the permissions of the file’s owner (bandit27), not your own (bandit26).

This is our ticket to the next level! This binary allows us to run commands as bandit27.

Step 2: Exploit the SUID Binary

Let’s test it to see how it works:

./bandit27-do
# Output: Run a command as another user.
# Example: ./bandit27-do id

It tells us exactly what to do. It executes whatever command we pass to it, but with bandit27’s privileges.

To get the password, we just need to read the password file for bandit27:

./bandit27-do cat /etc/bandit_pass/bandit27

This will print the password for the next level.

Key Takeaways

1. Enumeration: When in doubt, look around. Check files, permissions, running processes, and network connections.
2. SUID (Set User ID): A powerful Linux permission feature. If a binary has the SUID bit set, it runs as the owner of the file. Misconfigured SUID binaries are a common vector for Privilege Escalation.