Post

Overthewire Bandit Level 20-> 21

Posted Updated
By Michael McDonagh
3 min read

Solution for the Overthewire.org Bandit level 20 -> 21

Level Goal

There is a setuid binary in the homedirectory that does the following:
it makes a connection to localhost on the port you specify as a commandline argument.
It then reads a line of text from the connection and compares it to the password in the previous level (bandit20).
If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

Walkthrough

Login to the server using the password obtained from the previous level Bandit level 19 -> 20.

username: bandit20

1

ssh bandit20@bandit.labs.overthewire.org -p 2220

Like the previous level we will be using a setuid binary file. We can run it to find out how to use it correctly.

1
2
3
4
5
6
7
8

bandit20@bandit:~$ ls
suconnect

bandit20@bandit:~$ ./suconnect 
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.        

bandit20@bandit:~$

So suconnect will accept a port number as an argument and try to receive the password from a TCP connection on the port, if the password is correct suconnect will send the new password to the back as a reply.

One problem is that currently there is nothing for suconnect to connect to. The challenge is for us to create a TCP connection for suconnect to connect to.

We can do this using netcat (nc). We can open a listener with netcat on a specific port and on a second terminal instance we run the suconnect binary. Once the connection is made we send the password using netcat and suconnect should reply with the new password.

1
2
3
4
5
6
7
8

Terminal 1
bandit20@bandit:~$ nc -l -p 4444

-------------------------------------------------

Terminal 2
bandit20@bandit:~$ ./suconnect 4444

On Terminal 1 we have run netcat with the -l for listening and -p for port number.
On Terminal 2 we ran the suconnect with the same port number used for netcat.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

Terminal 1

bandit20@bandit:~$ nc -lp 4444
GbKksE##########################
gE269g##########################
bandit20@bandit:~$ 

----------------------------------------------------
Terminal 2

bandit20@bandit:~$ ./suconnect 4444
Read: GbKksE########################## 
Password matches, sending next password

bandit20@bandit:~$

Alternative

Alternatively we can create the TCP server using a python script in place of using netcat.

In the python file we specify the host 127.0.0.1, port 4444 and the password to be sent. When the script is run it will open a TCP connection on port 4444 and wait for something to connect, when it receives the connection from suconnect the python script will send the password and receive the new password back.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

#!/usr/bin/env python3

import socket

HOST = '127.0.0.1' # localhost
PORT = 4444 # use the same port number with suconnect

# Password for bandit20
PASSWORD = 'GbKksE##########################' 

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.bind((HOST, PORT))
    s.listen()
    conn, addr = s.accept()
    with conn:
        conn.sendall(bytes(PASSWORD, "utf-8"))
        data = conn.recv(1024)
        print(data.decode('utf-8'))

Again we will need 2 terminals open one to run the python script and the other to run suconnect.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

Terminal 1

bandit20@bandit:~$ python3 tcp_server.py
gE269g##########################

bandit20@bandit:~$
----------------------------------------------
Terminal 2

bandit20@bandit:~$ ./suconnect 4444
Read: GbKksE########################## 
Password matches, sending next password

bandit20@bandit:~$
OverTheWire, Bandit
overthewire bandit
This post is licensed under CC BY 4.0 by the author.