The Goal
There is a setuid binary called bandit20-do in the home directory. Use it to
access the password, which is in the usual location (/etc/bandit_pass) but
only readable by user bandit20.
The Approach
A setuid binary runs as its owner rather than the user who executes it. Here,
bandit20-do is owned by bandit20, so any command passed to it runs with
bandit20's privileges. Running it without arguments confirms the usage, and
whoami confirms the elevated identity:
bandit19@bandit:~$ file bandit20-do
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=38f1351d0068ccbbace0e437f34859de85e63025, for GNU/Linux 3.2.0, not stripped
The binary must be called by its full path when you are in a different directory. Calling
it from within /etc/bandit_pass/ fails because the binary is not there:
bandit19@bandit:~$ cd /etc/bandit_pass/
bandit19@bandit:/etc/bandit_pass$ ./bandit20-do whoami
-bash: ./bandit20-do: No such file or directory
bandit19@bandit:/etc/bandit_pass$ ~/bandit20-do whoami
bandit20
bandit19@bandit:/etc/bandit_pass$ whoami
bandit19
bandit19@bandit:/etc/bandit_pass$ ~/bandit20-do cat bandit20
password
Commands Covered
~/binary command, run a binary from the home directory regardless of current working directoryfile binary, inspect the type of an executable (shows setuid flag)