Level20

Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

Solution

The suconnect executable will attempt to connect to the provided port and read from the connection looking for bandit20’s password. If it gets that password, it will send back the password for bandit21. We can use the ncat utility with the -l flag to listen on some arbitrary port (in this case I used 54321). We can either launch this in the foreground and use CTRL+Z to put it in the background or append an ampersand ("&") to the end of the command to launch it in the background. We will then run the suconnect binary and move it to the background. After bringing the ncat job back to the foreground we can send bandit20’s password and recieve bandit21’s password as a response. See the job control sections from the bash manual.

root@0xCAB: /writeups/overthewire/bandit/level20/

$ $ ncat -l 127.0.0.1 54321 &
[1] 3883228

$ ./suconnect 54321
^Z
[2]+ Stopped ./suconnect 54321

$ jobs
[1]+ Stopped ncat -l 127.0.0.1 54321
[2]- Stopped ./suconnect 54321

$ fg
ncat -l 127.0.0.1 54321
VxCazJaVykI6W36BkBU0mJTCM8rR95XT
^Z
[1]+ Stopped ncat -l 127.0.0.1 54321

$ fg 2
./suconnect 54321
Read: VxCazJaVykI6W36BkBU0mJTCM8rR95XT
Password matches, sending next password

$ fg 1
ncat -l 127.0.0.1 54321
NvEJF7oVjkddltPSrdKEFOllh9V1IBcq

$