OverTheWire Bandit Guide

here's how to solve the bandit level 20 → 21

Back to the Bandit Guides

Previous Level Guide: Bandit Level 19 → 20

Access

SSH: ssh bandit20@bandit.labs.overthewire.org -p 2220

Password: 5X4yofCajIVwIro9OH0y2ZbCqTF5mwXv

Info

Description: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21). NOTE: Try connecting to your own network daemon to see if it works as you think
Commands: ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)

Theory

To get the password, the instructions say that the password is in a one-response connection that checks if your password is correct and gives you the password for the next level back, with this little explanation it reminds me a lot of when we used NetCat to input a password and get the next level's password. Also reading the man pages and researching a bit about these Unix job control stuff, this turns out to be a challenge where you set up your own localhost port and in the level it becomes a one-response server, where you input a password, it checks the password and returns the next password, then the port gets removed. I also looked at the level's files and there seems to be an executable file called "suconnect", so I guess it would be the command to get us inside this one-response server because the NetCat is not really good at this kind of stuff. So in the command we'll use echo—because I don't think this server has a built-in input—and a pipe with NetCat to create the one-time-use server/localhost, then in the NetCat part we'll use the -l option, which means listening, and -p for the one-time server stuff, finally the port number we'll use, which can be whatever number you want but remember it for later to connect with the suconnect file, and finally an & to have it consistently running, because it would stop existing after a milisecond if we didn't put it. Then I'd guess the suconnect executable is just the file and port to connect to. Then we have these two commands:

echo "5X4yofCajIVwIro9OH0y2ZbCqTF5mwXv" | nc -l -p 7424 &
./suconnect 7424

Solution

Like I just said, there's a suconnect executable file, which will give us the next password, so it's owned by both this level and the next:

~$ ls -la
total 36
drwxr-xr-x  2 root     root      4096 Sep 19 07:08 .
drwxr-xr-x 70 root     root      4096 Sep 19 07:09 ..
-rw-r--r--  1 root     root       220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root     root      3771 Mar 31  2024 .bashrc
-rw-r--r--  1 root     root       807 Mar 31  2024 .profile
-rwsr-x---  1 bandit21 bandit20 15604 Sep 19 07:08 suconnect

Now let's use the commands from the theory and see if it works (which should):

~$ echo -n '5X4yofCajIVwIro9OH0y2ZbCqTF5mwXv' | nc -l -p 7424 &
[1] 4071663

~$ ./suconnect 7424
Read: 5X4yofCajIVwIro9OH0y2ZbCqTF5mwXv
Password matches, sending next password
lhuhHfJEupZ1huBKD8qQohRMMrJs7aMH
[1]+  Done                    echo -n '5X4yofCajIVwIro9OH0y2ZbCqTF5mwXv' | nc -l -p 7424

And it worked! Now we should be good to go to the next level.

https://overthewire.org/wargames/bandit/bandit21.html
Next Level Guide: Bandit Level 21 → Level 22

Explore My Website