Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).Commands you may need to solve this level
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
ssh, nc, catSolution:
- [Comment] Using SSH to connect the server
- sp@simple-plan:~|=> ssh bandit20@bandit.labs.overthewire.org
...
bandit20@bandit.labs.overthewire.org's password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j - [Comment] Using ls command to list directory contents
- bandit20@melinda:~$ ls
suconnect - [Comment] Using ll = ls -l command to list directory contents in detail
- bandit20@melinda:~$ ll
total 28
drwxr-xr-x 2 root root 4096 Jun 6 2013 ./
drwxr-xr-x 160 root root 4096 Oct 17 09:23 ../
-rw-r--r-- 1 root root 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 root root 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 root root 675 Apr 3 2012 .profile
-rwsr-x--- 1 bandit21 bandit20 7798 Jun 6 2013 suconnect*
- [Comment] Create a netcat listener on port 1337 to send the password to client
- bandit20@melinda:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1337 &
[1] 3729 - [Comment] Execute the binary to make a connection to localhost on the port 1337
- bandit20@melinda:~$ ./suconnect 1337
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[1]+ Done echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1337
- [Comment] Using exit command to disconnect connection to server
- bandit20@melinda:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.
- [Comment] It's done! Saving the password for next level.
Why Port 1337?
ReplyDeleteIt could be any port you specify nc to listen on, this guy just choose 1337 (leet)
DeleteI am getting below error
ReplyDeletebandit20@bandit:~$ ./suconnect 1337
ERROR: Can't connect
when I tried to scan port below is the log.
Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-03 15:47 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00065s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp open ident
30000/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Can you pls help me out?
U must use echo password | nc -l port before u can start the suconnect.
DeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeletei wonder what is the '&' sign in the line
ReplyDeleteecho "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1337 &
as this method worked like charm
but when i tried open to 2 ssh windows with 'echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234'
and './suconnect 1234' simulataneously
i got error cant connect
the & makes sure that the nc command keeps running. Without the & the nc process would stop when u enter the next command. That's why u cant suconnect afterwards (cuz the & is missing, the nc is not listening anymore so u cant connect.)
DeleteThis comment has been removed by the author.
ReplyDelete