Bandit19 - bandit20

From JaxHax
Jump to: navigation, search

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.


So we have a setuid binary, this means it will execute in the context of the user who owns it.

bandit19@melinda:~$ ls
bandit19@melinda:~$ ls -lh
total 8.0K
-rwsr-x--- 1 bandit20 bandit19 7.2K Nov 14 10:32 bandit20-do
bandit19@melinda:~$ ./bandit20-do 
Run a command as another user.
  Example: ./bandit20-do id
bandit19@melinda:~$ ./bandit20-do 1
env: 1: No such file or directory
bandit19@melinda:~$ ./bandit20-do 0
env: 0: No such file or directory

So let's look at this binary real quick in gdb just to see what it does.

bandit19@melinda:~$ gdb ./bandit20-do 
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./bandit20-do...(no debugging symbols found)...done.
(gdb) disassemble main 
Dump of assembler code for function main:
   0x0804847d <+0>:	push   %ebp
   0x0804847e <+1>:	mov    %esp,%ebp
   0x08048480 <+3>:	and    $0xfffffff0,%esp
   0x08048483 <+6>:	sub    $0x10,%esp
   0x08048486 <+9>:	cmpl   $0x1,0x8(%ebp)
   0x0804848a <+13>:	jg     0x80484ad <main+48>
   0x0804848c <+15>:	mov    0xc(%ebp),%eax
   0x0804848f <+18>:	mov    (%eax),%eax
   0x08048491 <+20>:	mov    %eax,0x4(%esp)
   0x08048495 <+24>:	movl   $0x8048560,(%esp)
   0x0804849c <+31>:	call   0x8048330 <printf@plt>
   0x080484a1 <+36>:	movl   $0x1,(%esp)
   0x080484a8 <+43>:	call   0x8048350 <exit@plt>
   0x080484ad <+48>:	mov    0xc(%ebp),%eax
   0x080484b0 <+51>:	movl   $0x8048591,(%eax)
   0x080484b6 <+57>:	mov    0xc(%ebp),%eax
   0x080484b9 <+60>:	mov    %eax,0x4(%esp)
   0x080484bd <+64>:	movl   $0x8048595,(%esp)
   0x080484c4 <+71>:	call   0x8048370 <execv@plt>
   0x080484c9 <+76>:	mov    $0x0,%eax
   0x080484ce <+81>:	leave  
   0x080484cf <+82>:	ret    
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb) x/s 0x8048595
0x8048595:	"/usr/bin/env"
(gdb) quit

So basically, it just run "env [our arguments]". This means it will basically just execute our command as the owner of the setuid binary. Let's test this a bit and go for the key if we are right.

bandit19@melinda:~$ ./bandit20-do 0
env: 0: No such file or directory
bandit19@melinda:~$ /usr/bin/env 0
/usr/bin/env: 0: No such file or directory
bandit19@melinda:~$ /usr/bin/env ls
bandit19@melinda:~$ ./bandit20-do ls     
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20