OverTheWire - Bandit - Level 20 → Level 21

Warning: This post contains a solution!

Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!


Connect to the server using the following credentials:

Server: bandit.labs.overthewire.org
Port: 2220
Username: bandit20
Password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level Goal is:

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

From the level goal above we know that we need to open a port that the setuid binary connects to and waits for the password from the current level. If the current password is correct, it responds with the password for the next level.

So, first we need to open a port (12345 in this example) and send the password through it:

bandit20@bandit:~$ echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -vlp 12345
listening on [any] 12345 ...

nc is listening on 12345 and if a connection is established, the password of the current level will be piped through the connection.
Next, open a second terminal/session/tmux window/screen/... and run the setuid binary:

bandit20@bandit:~$ ./suconnect 12345
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

The transmitted password is correct. The setuid binary responds with the password for the next level:

bandit20@bandit:~$ echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -vlp 12345
listening on [any] 12345 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 44028
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Password is: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Show Comments