1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. Penetration Testing and Privilege Escalation with Bandit

Bandit Suid



The course is part of this learning path

Start course
3h 8m

This course will walk you through a variety of exercises and techniques as part of a capture the flag (CTF) game called Bandit. This will make sure that you have the necessary skills in Linux in order to excel in penetration testing and privilege escalation.


Hi, within this lecture, we're going to continue our OverTheWire challenge bandit level 19. Now, we have Bandit20-do over here. So, this is an executable, and if we just surround the file Bandit20-do, we can see that this is an executable indeed. And there is a great hint on the right hand side which says that this is a setuid binary, which means that we get to run this in an escalated privileged fashion. So, let me show you what I mean. It says that the password for this level can be found in the usual place. So, remember we have this passwords in the etc bandit_pass. So, if we run this cat etc bandit_pass and Bandit19, then we can get the password for the 19. But if we run this for Bandit20, then we cannot get this, right? Because only Bandit20 can cat this out. But if we run this Bandit20-do, so this is a file that we can run as another user, and in this case, it's Bandit20, okay? If you run this regularly, it will say that run a command as another user. So, this is what setuid does actually. We're going to deep dive into suids in the following sections. So, right now, I'm going to run ID and you will see that on Bandit19, but if I run this Bandit20-do ID now, you will see that my euid is Bandit20. So, we can use this Bandit20-do to run commands as if we are Bandit20, okay? And it means that we can easily get out the bandit_pass for the Bandit20. So, all we got to do is just surround Bandit20-do cat and etc bandits pass bandits and Bandit20. And here we go. We got back the password for the Bandit20. Now, I'm going to copy this and save it to my password.txt. And if you don't know how to use Suids, we're going to deep dive into them especially in the privilege escalation sections, no worries. They are temporary permissions and we can run Suid commands as if we are like escalated privilege fashion, okay? So, I'm going to go into the Bandit20 right now and I'm just going to test to see if we got the right password or not. So, here we go. We are inside of Bandit20, which means that we got the right password. So, I'm going to go to the next level which is level 21. So, this is about setuids one more time. So, let's see setuid binary in the home directory that does the following. It makes a connection to localhost on the port you specify as a command line argument, okay? So, it then reads a line of text from the connection and compares it to the password in the previous level, Bandit20. If the password is correct, it will transmit the password for the next level. Yep. So, we're going to give the Bandit20 password and it will give us the Bandit21 password and yep great. So, let me try this again. Since this is about Suids, it will give us some kind of like an escalated privilege and we will take leverage of that. And again, this is a legitimate privilege escalation technique so that we're going to see those a lot in the following sections, but for right now we're just practicing it, okay? So, let me just take the level 20 password over here. Okay, we have that. So, let me see what we have here in the Bandit20. So, there should be a file, okay? Yup, here you go, suconnect. So, when we run this suconnect, let's see what it asks us. This program will connect you given part on local host  using TCP, great. If it receives the correct password from the other side, next password is transmitted back. So, this is kind of tricky. It doesn't ask us to give the password to this port, okay? So, we cannot do that I believe. It asks us to transmit the password from another thing, another terminal or another connection, something like that. So, let me try to run an Nmap to see the open ports over here in our local host. And I believe we have to find a TCP ports  to transmit that information. So, we have the ssh, yep, here you go. We have the ssh obviously. We have some kind of different things over there and I believe we have seen this 30000s, we have used them in the previous challenges, right? We have the 6000s over here. Maybe we can do something with those, I don't know. We have this 113 ident. Let's try either of these like 6010, okay? Did it connect? Let's try to copy and paste some stuff. Let's see if this works or not. Let's come over here. Let's paste this and let's hit 'Enter'. It doesn't do anything, right? So, maybe we can try with the other ports here as well. But again, I believe it's looking for something else. So, let me try to connect like something like 4444, which doesn't exist here anyway. Maybe we can create a port over here by just running NetCat or NCat, and we can try to connect back to that port from another terminal, which makes sense to you, right? Let's try that Netcat listen 4444, and it will just try listening, start listening. And if I just connect to Bendit20 from another terminal over here  and give the password over there, let's do that. Let's come over here and just open in another session, in another terminal. Okay, now I have two sessions for Bandit20. Now, let me try this one more time suconnect 4444. It says that it couldn't connect. Let me come back over here as you can see we are listening over there. So, this port should be opened, but I cannot connect it for some reason. Maybe, we should specify the local host  and ports explicitly and try like that because we don't know how the suconnect thing works. This is an executable. I believe we have to just specify the port that we are trying to connect to but again this way we will be much more certain. So, I'm going to say local host -P 4444. And over there, I'm just going to try it one more time. And here you go. I believe this work now. So, make sure you run the same comment like that. And I'm going to copy and paste the thing over here one more time because we are instructed to do that, right? So, give the password 20 Bandit20 and receive the password 21. Here you go. Now it worked. I believe we got the thing here and from the other terminal as well. So, great I'm going to copy and paste this thing. Let me see which one we're going to get. They're the same I believe. So, I'm going to copy this one, and here you go. Now, let me try one more time. I'm going to copy this one if I can. Here you go. Now, I'm going to exit out of this one and just try to connect to the Bandit21. So, let's try this and see if this works or not. So, I believe this was a little bit different, right? It's a little bit interesting. We already knew how to work with Netcat and again it doesn't work for some reason, let me try one more time. Maybe I couldn't copy even though I tried hard, so let me try one more time. And as I was saying, it was a little bit interesting in this section. However, we have learned something I believe. So, it's good to go. Now, we are inside of Bandit21 and don't forget to nano here and just save your password  so that you can keep a good log. So, I'm going to stop here and continue with the level 21 within the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.