🔐 OverTheWire Bandit Level 27: Using Your Escaped Shell and setuid Binaries

Level 27 is a continuation of Level 26. If you kept your shell open from the previous level, this one is straightforward. If you closed it, you'll need to repeat the escape process. This level reinforces what you learned about setuid binaries and shows why maintaining access is important.

Level 27 teaches you:

Maintaining shell access
Using setuid binaries (review from Level 20)
Working with your escaped shell
The importance of not closing sessions prematurely

If you completed Level 26, you have a shell as bandit26. Now you're learning to use that shell effectively and continue your privilege escalation journey.

🎯 The Objective

After escaping the restricted shell in Level 26, your goal is to find the password for Level 27. There's a setuid binary in the home directory that can help you read the password file.

What Level 27 teaches:

Using your escaped shell
Working with setuid binaries (review)
Maintaining access
Continuing privilege escalation

The challenge: Use the bandit27-do setuid binary to read the bandit27 password file.

🔍 Understanding the Problem

Important: This level assumes you have an active shell session from Level 26. If you closed that shell, you'll need to repeat the Level 26 escape process first.

If you kept your shell open, you should still be logged in as bandit26 with a full bash shell. Let's check:

whoami
pwd

You should see bandit26 and be in /home/bandit26.

The problem: You need to read /etc/bandit_pass/bandit27, but you don't have permission. However, there's a setuid binary that can help.

🧠 Review: setuid Binaries

This level uses the same concept as Level 20. Let's review:

setuid binaries run with the privileges of the file's owner, not the user who executes them.

In Level 27:

bandit27-do is owned by bandit27
It has the setuid bit set
When you run it, it executes commands as bandit27
bandit27 can read /etc/bandit_pass/bandit27

📋 Step-by-Step Walkthrough

Step 1: Verify You Have a Shell

If you kept your shell from Level 26, you should still be logged in. Verify:

whoami

You should see bandit26. If you see something else or get an error, you'll need to repeat the Level 26 escape process.

Step 2: List Files in Home Directory

ls -la

You should see a binary called bandit27-do. This is your target.

Step 3: Check the Binary Permissions

ls -la bandit27-do

What you'll see:

-rwsr-x--- 1 bandit27 bandit26 14876 Jan 16 12:00 bandit27-do

Breaking this down:

-rwsr-x--- — The s indicates setuid is set
bandit27 — Owner (who it runs as)
bandit26 — Group (your group)

Step 4: Test the Binary

Let's see how it works:

./bandit27-do

What you'll see: An error message or usage instructions. It probably says something like "Run a command as another user" or shows an example.

Example output:

Run a command as another user.
Example: ./bandit27-do id

Step 5: Test with id Command

Let's verify it runs as bandit27:

./bandit27-do id

What you'll see:

uid=11026(bandit26) gid=11026(bandit26) euid=11027(bandit27) groups=11026(bandit26)

Breaking this down:

uid=11026(bandit26) — Your real user ID
euid=11027(bandit27) — Effective user ID (who the system thinks you are)

The key: Notice euid=11027(bandit27). The binary runs commands as bandit27!

Step 6: Read the Password File

Now use the setuid binary to read the password:

./bandit27-do cat /etc/bandit_pass/bandit27

What you'll see: The password for Level 27!

Why this works: The cat command runs as bandit27 (because of setuid), and bandit27 has permission to read /etc/bandit_pass/bandit27.

Step 7: Save the Password

Copy the password and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit27

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit27 -NoNewline

Step 8: Connect to Level 27

Important: You'll need to SSH into bandit27 from your local machine, not from the current session. The current session is still bandit26.

From your local machine:

sshpass -p `cat bandit27` ssh bandit27@bandit.labs.overthewire.org -p 2220

💡 Understanding Why This Level Exists

This level serves several purposes:

1. Reinforcement

It reinforces the setuid concept from Level 20:

Same technique
Same thinking process
Builds muscle memory

2. Maintaining Access

It teaches the importance of:

Keeping shells open
Not closing sessions prematurely
Maintaining access for multiple levels

3. Workflow Continuity

It shows how levels can build on each other:

Level 26: Escape restricted shell
Level 27: Use that shell to escalate
Continuation of privilege escalation chain

🔒 Real-World Context

Why does this matter in penetration testing?

Maintaining access and continuing privilege escalation is essential:

1. Access Maintenance

In real assessments:

Keep shells open
Use persistence mechanisms
Don't lose access unnecessarily
Maintain multiple access points

2. Privilege Escalation Chains

Real privilege escalation often involves:

Multiple steps
Building on previous access
Using different techniques
Maintaining access throughout

The skill you're learning: How to maintain access and continue escalating privileges. This is essential for:

Penetration testing
Red team exercises
Understanding attack chains
Developing persistence

🛠️ Alternative Methods

Here are different ways to approach Level 27:

Method 1: Direct setuid Execution (Recommended)

./bandit27-do cat /etc/bandit_pass/bandit27

Pros: Simple, direct, works immediately Cons: None really

Method 2: Test First, Then Read

./bandit27-do id
./bandit27-do cat /etc/bandit_pass/bandit27

Pros: Confirms setuid is working Cons: Extra step

Method 3: Using Shell Through setuid

./bandit27-do /bin/bash
# Now you're in a shell as bandit27
cat /etc/bandit_pass/bandit27
exit

Pros: Gives you an interactive shell as bandit27 Cons: More steps, might not work if shell is restricted

For Level 27, use Method 1 — it's the most straightforward.

🚨 Common Mistakes

Mistake 1: Closing the Shell from Level 26

Wrong: Closing the terminal/shell session after Level 26.

Right: Keep it open! You need it for Level 27.

Why: If you close it, you'll have to repeat the entire Level 26 escape process (resize terminal, get into Vim, set shell variable, etc.).

Mistake 2: Trying to SSH from Current Session

Wrong: Trying to SSH into bandit27 from your current bandit26 session.

Right: Use the setuid binary to read the password, then SSH from your local machine.

Why: You're already bandit26. You don't need to SSH again—just use the setuid binary.

Mistake 3: Not Understanding You're Still bandit26

Wrong thinking: "I need to become bandit27 to read the password."

Reality: You're still bandit26, but you can use the setuid binary to run commands as bandit27.

Solution: Understand that setuid binaries let you run commands as the owner without changing your user.

Mistake 4: Forgetting setuid Syntax

Wrong: Trying to read the file directly or using wrong syntax.

Right: Use ./bandit27-do cat /etc/bandit_pass/bandit27.

Why: The binary needs a command to execute. It's not a magic password revealer—it's a command executor.

💻 Practice Exercise

Try these to reinforce what you learned:

Review setuid concepts:
```
ls -la bandit27-do
./bandit27-do id
```

Understand effective UID:

id
./bandit27-do id
# Compare the euid values

Practice with other commands:
```
./bandit27-do whoami
./bandit27-do pwd
```

🎓 Understanding Access Maintenance

This level reinforces access maintenance concepts:

Why Maintain Access?

Benefits:

Avoid repeating complex escape processes
Continue privilege escalation chain
Save time
Maintain context

In Level 27: Keeping the shell from Level 26 saves you from repeating the entire Vim escape process.

When to Close Sessions

Close when:

You're done with the assessment
You've completed all objectives
You need to start fresh
The session is compromised

Keep open when:

You need it for next steps
Escape was difficult
You're continuing escalation
You might need it again

🔗 What's Next?

Level 28 will likely introduce another system concept. You'll continue building on the concepts you've learned about setuid binaries, shell escapes, and privilege escalation.

Before moving on, make sure you:

✅ Understand setuid binaries (review from Level 20)
✅ Can use setuid binaries to execute commands
✅ Understand the importance of maintaining access
✅ Know how to continue privilege escalation chains

📚 Key Takeaways

After completing Level 27, you should understand:

setuid binaries — How to use them (review)
Access maintenance — Keeping shells open when needed
Privilege escalation chains — Building on previous access
Workflow continuity — Continuing from previous levels

🎯 Quick Reference

Concept	Explanation	Example
setuid	Binary runs as owner	`./bandit27-do command`
Effective UID	Who system thinks you are	`euid=11027(bandit27)`
Access maintenance	Keep shells open	Don't close Level 26 shell
Command execution	Run command through setuid	`./binary cat file`

🔍 Advanced: Understanding setuid Revisited

If you want to review setuid concepts:

How setuid Works

The process:

You execute the binary
Kernel sees setuid bit
Sets effective UID to file owner
Command runs with owner's privileges
Returns to your privileges