Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

Commands you may need to solve this level: ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)

So lets see what this setuid binary is. ls -la, it is a file called suconnect, the owner is bandit21 and the group bandit20. Lets run this file ./suconnect.

Usage: ./suconnect This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.

So given the tip in the Goal we need to make our own daemon that can listen. I googled and came on this post: https://unix.stackexchange.com/questions/214471/how-to-create-a-tcp-listener. We can use nc -l to start a listener. So lets make a second connection to the bandit and start the listener. nc -l 31321 and lets connect with the other SSH session. I could not connect.

Lets read the manpage of nc. Maybe I should use the -p option for the port. Lets try it again. nc -l -p 31321 I can connect now and supply the password but nothing happens.

Lets check the goal: “It reads a line of text from the connection.” So I probably need to supply it with a line of text. We can do this with echo and a pipe to pipe the echo into the nc command. echo GbKksEFF4yrVs6il55v6gwY5aVje5f0jn | nc -l -p 31321 Lets connect to it once again and supply the current password ./suconnect 31321

We got the password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Leave a Reply

Your email address will not be published. Required fields are marked *