What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2014-01-23

OverTheWire - Bandit - Level 20 to Level 21

Description:

Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat
Solution:
  1. [Comment] Using SSH to connect the server
  2. sp@simple-plan:~|=> ssh bandit20@bandit.labs.overthewire.org
    ...
    bandit20@bandit.labs.overthewire.org's password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
  3. [Comment] Using ls command to list directory contents
  4. bandit20@melinda:~$ ls
    suconnect
  5. [Comment] Using ll = ls -l command to list directory contents in detail
  6. bandit20@melinda:~$ ll
    total 28
    drwxr-xr-x 2 root root 4096 Jun 6 2013 ./
    drwxr-xr-x 160 root root 4096 Oct 17 09:23 ../
    -rw-r--r-- 1 root root 220 Apr 3 2012 .bash_logout
    -rw-r--r-- 1 root root 3486 Apr 3 2012 .bashrc
    -rw-r--r-- 1 root root 675 Apr 3 2012 .profile
    -rwsr-x--- 1 bandit21 bandit20 7798 Jun 6 2013 suconnect*
  7. [Comment] Create a netcat listener on port 1337 to send the password to client
  8. bandit20@melinda:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1337 &
    [1] 3729
  9. [Comment] Execute the binary to make a connection to localhost on the port 1337
  10. bandit20@melinda:~$ ./suconnect 1337
    Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
    Password matches, sending next password
    gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
    [1]+ Done echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1337
  11. [Comment] Using exit command to disconnect connection to server
  12. bandit20@melinda:~$ exit
    logout
    Connection to bandit.labs.overthewire.org closed.
  13. [Comment] It's done! Saving the password for next level.
Reference:
sshhttp://linuxcommand.org/man_pages/ssh1.html
lshttp://linuxcommand.org/man_pages/ls1.html
cathttp://linuxcommand.org/man_pages/cat1.html
exithttp://linuxcommand.org/man_pages/exit1.html
cdhttp://linuxcommand.org/lc3_man_pages/cdh.html
findhttp://linuxcommand.org/man_pages/find1.html
grephttp://linuxcommand.org/lc3_man_pages/grep1.html
sorthttp://linuxcommand.org/lc3_man_pages/sort1.html
uniqhttp://linuxcommand.org/man_pages/uniq1.html
stringshttp://linuxcommand.org/man_pages/strings1.html
base64http://linux.die.net/man/1/base64
trhttp://linuxcommand.org/man_pages/tr1.html
aliashttp://linuxcommand.org/man_pages/alias1.html
mkdirhttp://linuxcommand.org/man_pages/mkdir1.html
cphttp://linuxcommand.org/man_pages/cp1.html
xxdhttp://linuxcommand.org/man_pages/xxd1.html
filehttp://linuxcommand.org/man_pages/file1.html
mvhttp://linuxcommand.org/man_pages/mv1.html
gziphttp://linuxcommand.org/man_pages/gzip1.html
bzip2http://linuxcommand.org/man_pages/bzip21.html
tarhttp://linuxcommand.org/man_pages/tar1.html
echohttp://linuxcommand.org/man_pages/echo1.html
nchttp://linuxcommand.org/man_pages/nc1.html
opensslhttp://linuxcommand.org/man_pages/openssl1.html
diffhttp://linuxcommand.org/man_pages/diff1.html
envhttp://linuxcommand.org/man_pages/env1.html

10 comments:

  1. Replies
    1. It could be any port you specify nc to listen on, this guy just choose 1337 (leet)

      Delete
  2. I am getting below error
    bandit20@bandit:~$ ./suconnect 1337
    ERROR: Can't connect

    when I tried to scan port below is the log.
    Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-03 15:47 UTC
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.00065s latency).
    Other addresses for localhost (not scanned): 127.0.0.1
    Not shown: 997 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    113/tcp open ident
    30000/tcp open unknown

    Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

    Can you pls help me out?

    ReplyDelete
    Replies
    1. U must use echo password | nc -l port before u can start the suconnect.

      Delete
  3. This comment has been removed by the author.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. i wonder what is the '&' sign in the line
    echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1337 &
    as this method worked like charm

    but when i tried open to 2 ssh windows with 'echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234'

    and './suconnect 1234' simulataneously

    i got error cant connect

    ReplyDelete
    Replies
    1. the & makes sure that the nc command keeps running. Without the & the nc process would stop when u enter the next command. That's why u cant suconnect afterwards (cuz the & is missing, the nc is not listening anymore so u cant connect.)

      Delete
  7. This comment has been removed by the author.

    ReplyDelete