Level19

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

Solution

The bandit20-do executable is owned by the bandit20 user and has the setuid bit set. It is also granting execute permission to the bandit19 group. This means that anyone in the bandit19 group can execute this program with the effective privilege of the bandit20 user. When we execute the program with no arguments it tells us we can provide a command for it to run. If we pass it the ‘whoami’ command we can see that we do effectively have bandit20’s privilege. Therefore we can use that executable to read the contents of the /etc/bandit_pass/bandit20 file.