OverTheWire: Bandit Level 20 → Level 21

https://overthewire.org/wargames/bandit/bandit21.html

Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

Commands you may need to solve this level

ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)

> whatis ssh
ssh (1) - OpenSSH remote login client
> whatis nc
nc (1) - arbitrary TCP and UDP connections and listens
> whatis cat
cat (1) - concatenate files and print on the standard output
> whatis bash
bash (1) - GNU Bourne-Again SHell
> whatis screen
screen (1) - screen manager with VT100/ANSI terminal emulation
> whatis tmux
tmux (1) - terminal multiplexer

Note : Not all commands are required to complete the level

Helpful Reading Material

Solution

We have an binary file that makes connection to user specified port and reads a line of text. If the text is same as the last level password we get next level password.

So the first task that we need to do is setup an listener on any port on the system that will return the previous level password if we connect to that port using the binary file. We can setup an listener using the netcat command.

(The password for the previous level is stored in /etc/bandit_pass/bandit19 which we found in the previous level)

bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | netcat -lp 1234 &
[1] 14333

The -l flag is used to setup an listener and the -p flag is used to specify the port the the listener should listen on. As we have not specified IP Address the listener is going to run on localhost.

The “&” at the end of the command is used to specify that we want the command to run in the background. The jobs command can be used to view all the processes/ jobs on the system

bandit20@bandit:~$ jobs
[1]+ Running echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | netcat -lp 1234 &

Now that we have the listener setup we can use the binary file to connect on the same port

bandit20@bandit:~$ ls
suconnect
bandit20@bandit:~$ ./suconnect 1234
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[1]+ Done echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | netcat -lp 1234

As soon as we connect the password of the previous level was compared with the text that we had specified on port 1234 and since they matched we got the password for the next level

Logout of the current session and start next level as bandit21

> ssh bandit21@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit21@bandit.labs.overthewire.org's password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Zeon Hack Free Resources Generator

Mises — Decentralized Personal Accounts and Social Relationships (Draft)

Upcoming Cybersecurity Speaking Events

Introducing SSL for SaaS

Security Warnings for the Rest of Us

AMA With iMe|| Apr-25–2021

Airdrop Swap free 100.000 CCS & 5000 CCN potential

WISE Stepped into #BinanceSmartChain Don’t Miss the opportunity.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
David Varghese

David Varghese

More from Medium

CIS controls — where to start in securing a medium/big enterprise

Application security notes: Who is an application security engineer?

Gitlab Runner “Exited with status 1” Without any Log

API Security Testing With Postman and OWASP Zap