OverTheWire: Bandit Level 20 → Level 21
The Bandit wargames are aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
> whatis ssh
ssh (1) - OpenSSH remote login client
> whatis nc
nc (1) - arbitrary TCP and UDP connections and listens
> whatis cat
cat (1) - concatenate files and print on the standard output
> whatis bash
bash (1) - GNU Bourne-Again SHell
> whatis screen
screen (1) - screen manager with VT100/ANSI terminal emulation
> whatis tmux
tmux (1) - terminal multiplexer
Note: Not all commands are required to complete the level
Helpful Reading Material
Netcat (nc) Command with Examples | Linuxize
Understanding the job control commands in Linux - bg, fg and CTRL+Z - The Geek Diary
Solution
We have a binary file that can request a reads a line of text from a user-specified port. If the text is the same as the last level’s password we get the next level’s password.
So the first task that we need to do is set up a listener on any port on the system that will return the previous level password if we connect to that port using the binary file. We can set up a listener using the Netcat command.
(The password for the previous level is stored in /etc/bandit_pass/bandit19
which we found in the previous level)
1
2
bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | netcat -lp 1234 &
[1] 14333
The -l flag is used to set up a listener and the -p flag is used to specify the port the listener should listen on. As we have not specified the IP Address the listener is going to run on localhost.
The “&” at the end of the command is used to specify that we want the command to run in the background. The jobs
command can be used to view all the processes/ jobs on the system
1
2
bandit20@bandit:~$ jobs
[1]+ Running echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | netcat -lp 1234 &
Now that we have the listener setup we can use the binary file to connect on the same port
1
2
3
4
5
6
7
8
9
bandit20@bandit:~$ ls
suconnect
bandit20@bandit:~$ ./suconnect 1234
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[1]+ Done echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | netcat -lp 1234
As soon as we connect the password of the previous level was compared with the text that we had specified on port 1234 and since they matched we got the password for the next level
Logout of the current session and start the next level as bandit21
1
2
3
4
> ssh [email protected] -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
[email protected]'s password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr