[ Docker ] Bandit Wargame 만들기 - 19번 문제 ( 20 / 33 )

1. Bandit19 목표

To gain access to the next level, you should use the setuid binary in the homedirectory.
Execute it without arguments to find out how to use it.
The password for this level can be found in the usual place (/etc/bandit_pass),
after you have used the setuid binary.

Helpful Reading Material
setuid on Wikipedia

 

2. Bandit19 구현

# 비밀번호 root 입력 접속
ssh -oStrictHostKeyChecking=no root@localhost -p 2220

chown -R root:root /home/bandit19/.[!.]*

cat <<'BANDIT_TMP' > /tmp/bandit20-do.c
#define _CRT_SECURE_NO_WARNINGS

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char **argv)
{
    uid_t euid = geteuid();
    setresuid(euid, euid, euid);
    // system("id");

    char *arr=malloc(1000*sizeof(char));

    int i;

    for(i=1;i<argc;i++)
    {
        strcat(arr,argv[i]);
        strcat(arr," ");

        strcat(arr,"\0");
    }

    FILE *fp = NULL;
    char line[10240];

    if((fp = popen(arr, "r")) == NULL) {
        return 1;
    }

    while(fgets(line, 10240, fp) != NULL) {
        printf("%s", line);
    }

    pclose(fp);
    return 0;
}
BANDIT_TMP

gcc -o /home/bandit19/bandit20-do /tmp/bandit20-do.c

useradd bandit20 && echo -e "GbKksEFF4yrVs6il55v6gwY5aVje5f0j\nGbKksEFF4yrVs6il55v6gwY5aVje5f0j" | passwd bandit20

chown bandit20:bandit19 /home/bandit19/bandit20-do

chmod 755 /home/bandit20

chown root:root /home/bandit20

echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j > /etc/bandit_pass/bandit20

chown bandit20:bandit20 /etc/bandit_pass/bandit20

chmod 400 /etc/bandit_pass/bandit20

chmod 4750 /home/bandit19/bandit20-do

 

3. Bandit19 문제풀의

# bandit19 로 설정한 패스워드를 입력하여 접속한다.
# IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
ssh -oStrictHostKeyChecking=no bandit19@localhost -p 2220

# bandit20의 비밀번호 확인
/home/bandit19/bandit20-do cat /etc/bandit_pass/bandit20