Bandit Level 20

Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Changes to the infrastructure made this level more difficult. You will need to figure out a way to launch multiple commands in the same Docker instance.

NOTE 2: Try connecting to your own network daemon to see if it works as you think

Solution

Password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Let’s see what we have and give it a run.

Alright, so we have a program that apparently connects to a specified port on localhost. Let’s set up a listening port in the background using netcat.

The -l option tells netcat to set up a listening port, rather than try to connect. The & at the end runs the command in the background. Let’s run our binary on the same port and see what happens.

So… nothing happens. Let’s kill that process with Ctrl + C. This will also end the listening process.

The help text for the binary says that it needs to receive the level 20 password before sending back the level 21 password.

There’s a couple of ways we can do this. We can pipe an echo of the password to the netcat command, or we could direct it some file output. Let’s set up both.

With echo:

With password file:

Now let’s run our binary.

Wa wa wee wa.