Skip to main content

Bandit Level 20 → 21

Shubham
Cybersecurity Enthusiast

Login: ssh bandit20@bandit.labs.overthewire.org -p 2220
Password: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO

task

There is a SetUID binary in the home directory that connects to localhost on a specified port. It reads the current password from the connection and, if correct, sends back the password for the next level.

theory lil bit

  1. nc (netcat): Often called the "Swiss-army knife" of networking. We use it here to set up a listening server (-l) on a specific port (-p).
  2. suconnect binary: This program acts as a client. It expects to find a service listening on the port you provide. Once connected, it waits for the current level's password to be sent to it.
  3. Multitasking/Backgrounding: Since both the listener (nc) and the client (suconnect) need to run at the same time on the same machine, you either need two SSH sessions or to run the listener in the background using &.

solution

To solve this, we need two separate terminal instances or a way to run processes in parallel.

Terminal 1 (Setting up the listener): We tell netcat to listen on port 4444. Once the connection is established, we will paste the current password.

bandit20@bandit:~$ nc -lvnp 4444
Listening on 0.0.0.0 4444

Terminal 2 (Executing the client): While Terminal 1 is listening, we run the provided binary and point it to our listening port.

bandit20@bandit:~$ ./suconnect 4444

Back in Terminal 1: The connection will be received. You must then manually type or paste the password for Level 20. If it matches what the binary expects, it will send the Level 21 password back to you.

Connection received on 127.0.0.1 54086
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
EeoULMCra2q0dSkYj561DX7s1CpBuOBt

<!-- truncate -->