Shellcode on a setuid program (1/?)

Despite the severe lack of free time, I'm currently sharpening my
security skills by doing CTFs.

My focus is on details and on building solid understanding on how
things work at low level, which is an elegant way of justifying
the fact that it takes forever for me to advance a single level.

While doing the current exercise, I've battled against a number
of things [and I regret taking notes in such a poor way].

We are talking about setuid binaries that should be convinced to
steal the flag for us.  Injecting a shellcode in this one is
trivial, as it is one of the first exercises.  My focus on the
exploit, which is where I'm less competent.

Over (way too much) time, I managed to put together a dumb
shellcode, which is just running
execve("/bin/sh", ["/bin/sh", "/bin/sh", NULL]).

I can see the shell process is running, since the prompt is
printed, but as it turns out the shell does not have the
permissions that I would expect to be granted by setuid.
Why so?

- As I learned, bash will drop privileges in case of unequal euid
  and reuid[1].
  This is a clever idea from the multi-layer security
  perspective, and overall good to know.  But the target system
  runs dash, not bash!

- I encoded a execve("/bin/id", ["/bin/id", NULL]) instead,
  learning that not even id(1) will show the correct permissions.
  This is somewhat surprising: I wrote a quick program that does
  the same, gave it setuid and a different user, and *on my
  system* it behave as I would have expected!

- Next up, I'll try capturing the flag directly, without relying
  on an exec.  I think `ragg2` will be useful for this to happen
  without spending all this time.


[1] https://www.gnu.org/software/bash/manual/html_node/Bash-Startup-Files.html#Invoked-with-unequal-effective-and-real-UID_002fGIDs