Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Changes to the infrastructure made this level more difficult. You will need to figure out a way to launch multiple commands in the same Docker instance.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
Solution
Password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
1 |
$ ssh [email protected] -p 2220 |
Let’s see what we have and give it a run.
1 2 3 4 5 |
[email protected]:~$ ls suconnect [email protected]:~$ ./suconnect Usage: ./suconnect This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back. |
Alright, so we have a program that apparently connects to a specified port on localhost. Let’s set up a listening port in the background using netcat.
1 2 |
[email protected]:~$ nc -l -p 12345 & [1] 31111 |
The -l option tells netcat to set up a listening port, rather than try to connect. The & at the end runs the command in the background. Let’s run our binary on the same port and see what happens.
1 2 |
[email protected]:~$ ./suconnect 12345 |
So… nothing happens. Let’s kill that process with Ctrl + C. This will also end the listening process.
The help text for the binary says that it needs to receive the level 20 password before sending back the level 21 password.
There’s a couple of ways we can do this. We can pipe an echo of the password to the netcat command, or we could direct it some file output. Let’s set up both.
With echo:
1 2 |
[email protected]:~$ echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -l -p 12345 & |
With password file:
1 |
[email protected]:~$ nc -l -p 12345 < /etc/bandit_pass/bandit20 & |
Now let’s run our binary.
1 2 3 4 |
[email protected]:~$ ./suconnect 12345 Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j Password matches, sending next password gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr |
Wa wa wee wa.