Skip to main content
🧠Educationalintermediate13 min read

OverTheWire Bandit Level 20: Understanding setuid Binaries and Privilege Escalation

OverTheWire Bandit Level 20 walkthrough. Learn about setuid binaries, how they work, and how to use them for privilege escalation. Essential concept for Linux security.

OverTheWireBanditLinuxprivilege escalationsetuidintermediateCTF
Share:𝕏in
🔗OverTheWire Bandit Series
Part 21 of 34
📚View all posts in OverTheWire Bandit series

🔐 OverTheWire Bandit Level 20: Understanding setuid Binaries and Privilege Escalation

Level 20 introduces a critical Linux security concept: setuid binaries. This is where things start getting interesting—you're learning about privilege escalation, which is one of the most important skills in penetration testing.

Level 20 teaches you:

  • What setuid binaries are and how they work
  • How to identify setuid binaries
  • How to execute commands with elevated privileges
  • The security implications of setuid binaries

If you've made it this far, you've learned file operations, permissions, and basic Linux commands. Now it's time to understand how programs can run with different privileges than the user who executes them. This concept is fundamental to Linux security and privilege escalation.

🎯 The Objective

After logging into bandit19, your goal is to find the password for Level 20. The password is stored in /etc/bandit_pass/bandit20, but you can't read it directly—you don't have permission.

What Level 20 teaches:

  • Understanding setuid binaries
  • Using setuid binaries to execute commands with different privileges
  • How privilege escalation works in Linux
  • The security implications of setuid binaries

The challenge: There's a setuid binary in your home directory called bandit20-do. This binary runs commands as the bandit20 user, which has permission to read the password file. Your job is to figure out how to use it.

🔍 Understanding the Problem

Let's start by connecting to Level 19 and seeing what we're dealing with:

sshpass -p `cat bandit19` ssh bandit19@bandit.labs.overthewire.org -p 2220

Once connected, let's see what's in the directory:

ls -la

You should see a binary file called bandit20-do. Notice something interesting about it—it's highlighted differently (often in red) and has special permissions.

The problem: You need to read /etc/bandit_pass/bandit20, but you don't have permission. However, there's a setuid binary that can run commands as bandit20, which does have permission.

🧠 What Is setuid? Understanding Privilege Escalation

Here's what's happening: A setuid binary is a program that runs with the privileges of the file's owner, not the user who executes it.

How setuid Works

Normally, when you run a program, it runs with your user's privileges. If you're bandit19, the program runs as bandit19. But setuid binaries are special—they run as the file's owner instead.

Example:

  • File owner: bandit20
  • File has setuid bit set: s in permissions
  • You execute it as: bandit19
  • Program runs as: bandit20 (the owner, not you!)

This is how sudo works under the hood—it's a setuid binary owned by root.

Identifying setuid Binaries

You can identify setuid binaries by looking at the file permissions:

ls -la bandit20-do

What you'll see:

-rwsr-x--- 1 bandit20 bandit19 14876 Jan 16 12:00 bandit20-do

Breaking down the permissions:

  • - — Regular file (not a directory)
  • rws — Owner permissions: read, write, setuid (the s instead of x)
  • r-x — Group permissions: read, execute
  • --- — Others: no permissions

The key: That s where you'd normally see x (execute) means the setuid bit is set. When you run this binary, it executes as bandit20, not as your current user.

Why setuid Exists

setuid binaries exist to allow users to perform specific privileged operations without giving them full root access. Common examples:

  • passwd — Allows users to change their own passwords (needs to write to /etc/shadow)
  • sudo — Allows authorized users to run commands as root
  • ping — Needs root privileges to create raw network sockets
  • mount — Needs root privileges to mount filesystems

The security trade-off: setuid binaries are powerful but dangerous. If a setuid binary has a vulnerability, an attacker can potentially escalate privileges.

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 19

sshpass -p `cat bandit19` ssh bandit19@bandit.labs.overthewire.org -p 2220

Step 2: List Files and Check Permissions

ls -la

You should see bandit20-do. Notice the s in the permissions—that's the setuid bit.

Step 3: Try Running the Binary

First, let's see what happens if we run it without arguments:

./bandit20-do

What happens: The binary will show you how to use it. It probably says something like "Run a command as another user" or gives you an error message that hints at usage.

Example output:

Run a command as another user.
Example: ./bandit20-do id

Step 4: Test with a Simple Command

Let's test it with the id command to see what user it runs as:

./bandit20-do id

What you'll see:

uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)

Breaking this down:

  • uid=11019(bandit19) — Your real user ID (who you are)
  • euid=11020(bandit20) — Your effective user ID (who the system thinks you are)
  • groups=11019(bandit19) — Your group membership

The key: Notice euid=11020(bandit20). The effective UID is bandit20, which means the command ran as bandit20, not as bandit19.

Step 5: Read the Password File

Now that we know the binary runs commands as bandit20, let's use it to read the password file:

./bandit20-do cat /etc/bandit_pass/bandit20

What this does:

  • ./bandit20-do — Runs the setuid binary
  • cat /etc/bandit_pass/bandit20 — The command to execute as bandit20

The output will be the password for Level 20!

Why this works: The cat command runs as bandit20 (because of setuid), and bandit20 has permission to read /etc/bandit_pass/bandit20.

Step 6: Save the Password

Copy the password and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit20

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit20 -NoNewline

Step 7: Connect to Level 20

sshpass -p `cat bandit20` ssh bandit20@bandit.labs.overthewire.org -p 2220

💡 Understanding setuid in Depth

Let's dive deeper into how setuid works and why it matters:

Real User ID vs. Effective User ID

When you run a setuid binary, Linux maintains two user IDs:

  • Real User ID (RUID) — Who you actually are (bandit19)
  • Effective User ID (EUID) — Who the system thinks you are (bandit20)

Why this matters: The system uses the EUID to check permissions. So even though you're bandit19, the system checks permissions as if you're bandit20.

Checking User IDs

You can see both IDs using the id command:

As yourself:

id

Output: uid=11019(bandit19) gid=11019(bandit19) groups=11019(bandit19)

Through setuid binary:

./bandit20-do id

Output: uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)

Notice the euid=11020(bandit20)—that's the effective user ID.

How setuid Permissions Work

The setuid bit is set using chmod:

chmod u+s filename    # Set setuid bit
chmod 4755 filename    # Set setuid bit (4 = setuid)

Permission breakdown:

  • 4 — setuid bit
  • 755 — Normal permissions (rwxr-xr-x)
  • 4755 — setuid + normal permissions

In the file listing:

  • -rwsr-x---s means setuid is set
  • -rwxr-x---x means setuid is NOT set

Security Implications

setuid binaries are powerful but dangerous:

Why they're dangerous:

  • If a setuid binary has a vulnerability, attackers can escalate privileges
  • Bugs in setuid binaries can lead to full system compromise
  • Overuse of setuid binaries increases attack surface

Best practices:

  • Minimize the number of setuid binaries
  • Keep setuid binaries updated
  • Audit setuid binaries regularly
  • Use principle of least privilege

🔒 Real-World Context

Why does this matter in penetration testing?

setuid binaries are a common privilege escalation vector. Here's how you'd approach this in a real assessment:

1. Finding setuid Binaries

During a penetration test, you'd look for setuid binaries:

# Find all setuid binaries
find / -perm -4000 -type f 2>/dev/null

# Find setuid binaries owned by root
find / -perm -4000 -user root -type f 2>/dev/null

Why: setuid binaries owned by root are especially interesting—they can give you root access if exploited.

2. Analyzing setuid Binaries

Once you find setuid binaries, analyze them:

  • Check for known vulnerabilities — Search for CVEs
  • Check file permissions — Can you write to it? Can you replace it?
  • Check for world-writable directories — Can you create a malicious version?
  • Check for path issues — Can you manipulate PATH to execute your own binary?

3. Common setuid Exploitation Techniques

Path manipulation:

# If a setuid binary uses relative paths
export PATH=/tmp:$PATH
# Create malicious binary in /tmp

Symlink attacks:

# If a setuid binary writes to a predictable location
ln -s /etc/passwd /tmp/predictable_location

Buffer overflows:

  • If a setuid binary has a buffer overflow vulnerability, you might be able to execute shellcode with elevated privileges

4. Real-World Examples

Historical vulnerabilities:

  • sudo — Multiple vulnerabilities over the years
  • passwd — Various issues with password change functionality
  • Custom setuid binaries — Often poorly written, full of vulnerabilities

The skill you're learning: Understanding how privilege escalation works. This is essential when:

  • Analyzing compromised systems
  • Performing privilege escalation
  • Understanding Linux security
  • Auditing system security

🛠️ Alternative Methods

Here are different ways to approach Level 20:

./bandit20-do cat /etc/bandit_pass/bandit20

Pros: Simple, direct, works immediately Cons: None really

Method 2: Using Shell

./bandit20-do /bin/bash
# Now you're in a shell as bandit20
cat /etc/bandit_pass/bandit20
exit

Pros: Gives you an interactive shell as bandit20 Cons: More steps, might not work if shell is restricted

Method 3: Testing First

# First, verify it works
./bandit20-do id

# Then read the password
./bandit20-do cat /etc/bandit_pass/bandit20

Pros: Confirms the setuid is working before reading password Cons: Extra step, but good practice

For Level 20, use Method 1 — it's the most straightforward.

🚨 Common Mistakes

Mistake 1: Not Understanding What setuid Does

Wrong thinking: "I'll just run the binary and it will give me the password."

Reality: The binary doesn't give you the password—it runs commands as bandit20. You need to tell it what command to run.

Solution: Read the binary's help message or try running it without arguments to see how to use it.

Mistake 2: Forgetting to Include the Command

Wrong:

./bandit20-do
# Just runs the binary, doesn't execute anything useful

Right:

./bandit20-do cat /etc/bandit_pass/bandit20
# Runs cat as bandit20

Why: The binary needs a command to execute. It's not a magic password revealer—it's a command executor.

Mistake 3: Not Understanding the Syntax

Wrong:

./bandit20-do -c "cat /etc/bandit_pass/bandit20"
# Might not work, depends on binary implementation

Right:

./bandit20-do cat /etc/bandit_pass/bandit20
# Simple: binary name, then command and arguments

Why: Most setuid binaries take the command as arguments directly, not as a flag.

Mistake 4: Not Checking Permissions First

Wrong: Assuming you can't read the file without checking.

Right:

# First, check if you can read it directly
cat /etc/bandit_pass/bandit20
# Permission denied? Then use setuid binary
./bandit20-do cat /etc/bandit_pass/bandit20

Why: Always verify the problem before applying the solution.

Mistake 5: Confusing setuid with sudo

Wrong thinking: "This is like sudo, so I need to use it differently."

Reality: setuid binaries work differently than sudo. They execute commands directly, not through a separate authentication mechanism.

Solution: Treat setuid binaries as command wrappers—they run commands as the file owner.

💻 Practice Exercise

Try these to reinforce what you learned:

  1. Check setuid binaries on your system:

    find /usr/bin -perm -4000 -type f 2>/dev/null | head -10

  2. Understand the permissions:

    ls -la /usr/bin/passwd
# Notice the 's' in permissions

  3. Test with id command:

    # As yourself
id

# Through setuid (if you have one)
./setuid-binary id

  4. Find setuid binaries owned by specific users:

    find / -perm -4000 -user root -type f 2>/dev/null | head -5

🎓 Understanding Privilege Escalation

This level introduces privilege escalation, which is a core concept in penetration testing:

What Is Privilege Escalation?

Privilege escalation is the process of gaining higher-level privileges than you currently have. In Linux, this usually means:

  • Going from regular user to root
  • Going from one user to another user
  • Gaining additional group memberships

Types of Privilege Escalation

Horizontal escalation: Gaining access to another user at the same privilege level

  • Example: From bandit19 to bandit20 (both regular users)

Vertical escalation: Gaining higher privileges

  • Example: From regular user to root

Level 20 is horizontal escalation — you're going from bandit19 to bandit20, both regular users.

Why Privilege Escalation Matters

In penetration testing, privilege escalation is often necessary to:

  • Access sensitive files
  • Modify system configurations
  • Access other users' data
  • Maintain persistence
  • Complete the assessment objectives

The skill you're learning: How to identify and use privilege escalation vectors. This is essential for:

  • Penetration testing
  • Red team exercises
  • Security assessments
  • Understanding Linux security

🔗 What's Next?

Level 21 introduces a new concept—likely related to network programming or more advanced privilege escalation techniques. You'll continue building on the concepts you've learned.

Before moving on, make sure you:

  • ✅ Understand what setuid binaries are
  • ✅ Know how to identify setuid binaries (ls -la, look for s)
  • ✅ Can execute commands through setuid binaries
  • ✅ Understand the difference between RUID and EUID
  • ✅ Know why setuid binaries are important for security

📚 Key Takeaways

After completing Level 20, you should understand:

  1. setuid binaries — Programs that run with the owner's privileges
  2. Privilege escalation — Gaining higher-level access
  3. RUID vs. EUID — Real user ID vs. effective user ID
  4. Security implications — Why setuid binaries are powerful but dangerous
  5. Real-world application — How to find and analyze setuid binaries

🎯 Quick Reference

ConceptExplanationExample
setuidBinary runs as file owner-rwsr-x--- (s = setuid)
RUIDReal user ID (who you are)uid=11019(bandit19)
EUIDEffective user ID (who system thinks you are)euid=11020(bandit20)
Execute through setuidRun command as owner./bandit20-do cat file
Find setuid binariesSearch for setuid bitfind / -perm -4000

🔍 Advanced: Understanding setuid Internals

If you want to go deeper, here's how setuid works under the hood:

The setuid System Call

When a setuid binary executes, it calls the setuid() system call:

setuid(geteuid());  // Set real UID to effective UID

This changes your real user ID to match the effective user ID.

Security Considerations

Why setuid is dangerous:

  • If the binary has bugs, they run with elevated privileges
  • Path manipulation can lead to executing malicious binaries
  • Environment variable manipulation can affect behavior
  • Race conditions can be exploited

Best practices:

  • Minimize setuid usage
  • Drop privileges when possible
  • Validate all inputs
  • Use secure coding practices

Questions about Level 20, setuid binaries, or privilege escalation? Reach out directly:

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice

Found this helpful? Share it:

Share:𝕏in

Need Help With This?

Have questions about implementing these security practices? Let's discuss your specific needs.

Get in Touch

More in Educational

Explore more articles in this category.

Browse 🧠 Educational

Related Articles