Bandit Level 20 → Level 21

Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think


We can see suconnect will need to be execute. Let see what it is for.

./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. 
If it receives the correct password from the other side, the next 
password is transmitted back.

Like the NOTE suggest, we need two instances where one listen for a port and another read and send back the password for the next level. We use nc to listen to a port of our choosing and send the current password to the port.

nc -l 32123 < /etc/bandit_pass/bandit20

In another ssh session, we start suconnect on the same port and immediately greeted with what we send to it.

./suconnect 32123
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

If you look at the first ssh session, the following message will pop up with the next password.

gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Additional References:

Advertisements