Level 20 – bandit – overthewire
“There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think”
bandit20@bandit:~$ ls -la total 28 drwxr-xr-x 2 root root 4096 Dec 28 2017 . drwxr-xr-x 42 root root 4096 Jul 22 18:42 .. -rw-r--r-- 1 root root 220 Sep 1 2015 .bash_logout -rw-r--r-- 1 root root 3771 Sep 1 2015 .bashrc -rw-r--r-- 1 root root 655 Jun 24 2016 .profile -rwsr-x--- 1 bandit21 bandit20 8044 Dec 28 2017 suconnect bandit20@bandit:~$ ./suconnect Usage: ./suconnect This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back. bandit20@bandit:~$ tmux *** SPLIT PANES *** Press <ctrl> + 'b' release, enter a quotation mark (") *** TO SWITCH PANES *** <ctrl> + 'b' release, <up/down arrow> # Top Pane # bandit20@bandit:~$ nc -lvp 4444 Listening on [0.0.0.0] (family 0, port 4444) GbKksEFF4yrVs6il55v6gwY5aVje5f0j # Bottom Pane # bandit20@bandit:~$ ./suconnect 4444 Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j Password matches, sending next password # Top Pane # Connection from [127.0.0.1] port 4444 [tcp/*] accepted (family 2, sport 37482) gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
This challenge can be completed two different ways. The first is to become familiar with the ‘jobs’, ‘bg’, and ‘fg’ commands. Or you can utilize a really great tool called ‘tmux’, as I did above.
Without a screenshot, the usefulness of the tmux program is really not done justice by my crude printout above. What I used tmux above for was to split the above terminal into two separate horizontal panes; allowing us two separate work spaces to carry out the objective. If you’re not familiar with tmux I highly recommend you check it out, as splitting terminal panes is only the beginning of its functionality.
In the first pane, we set up a listener over port 4444 with netcat and pasted in the previous password. We then switch to our other pane and make use of the setuid executable ‘suconnect’ by appending the listening port (4444) to the end.
The opposite pane will be returned with the password for bandit21!