Bandit Level 32 → Level 33

 

Goal

After all this git stuff its time for another escape. Good luck!

모든 git 작업을 마친 후 또 다른 탈출의 시간이다. 행운을 빈다!
 
Commands you may need to solve this level
`sh`, `man`
 

Write Up

WELCOME TO THE UPPERCASE SHELL
>> id
sh: 1: ID: Permission denied
>> reset
sh: 1: RESET: Permission denied
>>

 
모든 입력을 대문자로 변경하는 shell이다. 이 shell에 대한 정보를 확인해볼 필요가 있다. 다른 계정으로 로그인하면 해당 shell의 정보를 볼 수 있을 것이다.

bandit0@bandit:~$ cat /etc/passwd | grep bandit32
bandit32:x:11032:11032:bandit level 32:/home/bandit32:/home/bandit32/uppershell

bandit0@bandit:/home/bandit32$ ls -al
total 36
drwxr-xr-x  2 root     root      4096 Oct  5  2023 .
drwxr-xr-x 70 root     root      4096 Oct  5  2023 ..
-rw-r--r--  1 root     root       220 Jan  6  2022 .bash_logout
-rw-r--r--  1 root     root      3771 Jan  6  2022 .bashrc
-rw-r--r--  1 root     root       807 Jan  6  2022 .profile
-rwsr-x---  1 bandit33 bandit32 15128 Oct  5  2023 uppershell

bandit0@bandit:/home/bandit32$ file uppershell
uppershell: setuid regular file, no read permission

 
`uppershell` 파일은 setuid가 걸려 있는 파일이다. 따라서 bandit32 계정으로 로그인하면 bandit33의 패스워드 파일을 확인할 수 있다.

하지만 shell에 입력한 값은 모두 대문자가 되어 명령을 실행할 수 없으므로 문자를 사용하지 않고 명령어를 실행하는 방법을 생각해야 한다. `$0`는 실행 중인 프로그램의 경로를 의미한다.

>> $0
$ id
uid=11033(bandit33) gid=11032(bandit32) groups=11032(bandit32)
$ cat /etc/bandit_pass/bandit33