rtmoran.org — Cybersecurity and Linux Resource

Over the Wire’s Bandit Challenge – Level 20

overthewire

Level 20 – bandit – overthewire

Level Instructions:

“There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think”


bandit20@bandit:~$ ls -la
total 28
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rwsr-x---  1 bandit21 bandit20 8044 Dec 28  2017 suconnect
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect 
This program will connect to the given port on localhost using TCP. If it receives the 
   correct password from the other side, the next password is transmitted back.
bandit20@bandit:~$ tmux

*** SPLIT PANES *** Press <ctrl> + 'b' release, enter a quotation mark (") 
*** TO SWITCH PANES *** <ctrl> + 'b' release, <up/down arrow> 

# Top Pane # 
bandit20@bandit:~$ nc -lvp 4444 
Listening on [0.0.0.0] (family 0, port 4444) GbKksEFF4yrVs6il55v6gwY5aVje5f0j 

# Bottom Pane # 
bandit20@bandit:~$ ./suconnect 4444 
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j Password matches, sending next password 

# Top Pane # 
Connection from [127.0.0.1] port 4444 [tcp/*] accepted (family 2, sport 37482) 
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

This challenge can be completed two different ways.  The first is to become familiar with the ‘jobs’, ‘bg’, and ‘fg’ commands.  Or you can utilize a really great tool called ‘tmux’, as I did above.

Without a screenshot, the usefulness of the tmux program is really not done justice by my crude printout above.  What I used tmux above for was to split the above terminal into two separate horizontal panes; allowing us two separate work spaces to carry out the objective.  If you’re not familiar with tmux I highly recommend you check it out, as splitting terminal panes is only the beginning of its functionality.

In the first pane, we set up a listener over port 4444 with netcat and pasted in the previous password.  We then switch to our other pane and make use of the setuid executable ‘suconnect’ by appending the listening port (4444) to the end.

The opposite pane will be returned with the password for bandit21!

Leave a Reply to Imogen Cancel reply

Your email address will not be published. Required fields are marked *