Level: 0→1
Level: 1→2
Level: 2→3
Level: 3→4
Level: 4→5
Level: 5→6
Level: 6→7
Level: 7→8
Level: 8→9
Level: 9→10
Level: 10→11
Level: 11→12
Level: 12→13
Level: 13→14
Level: 14→15
Level: 15→16
Level: 16→17
Level: 17→18
Level: 18→19
Level: 19→20
Level: 20→21
Level: 21→22
Level: 22→23
Level: 23→24
Level: 24→25
Level: 25→26
Level: 26→27
Level: 27→28
Level: 28→29
Level: 29→30
Level: 30→31
Level: 31→32
Level: 32→33
Level: 33→34

~ Level 20→21 ~

Level Description

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

The following are commands that may be required to solve the level: ssh, nc, cat, bash, screen, tmux, and Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)

Research Before Solving

The screen command will be used for this level. This command is used to have multiple command line sessions open within the same window. More on this when we use it.

Solution Walkthrough

As usual, log in to the server, this time as bandit20. We will first use ls to list files in the home directory. We find a file by the name of suconnect. Note it's color of red, an indication of escalated priveleges. This means we are able to execute the file using ./suconnect

We are given nc as a command to solve the level, we are also advised by the executable file that the program will connect to a given port that is set up on the localhost. This is where tmux comes in. We must set up two prompt sessions, one will be used to listen while the other will be used to execute suconnect.

Type in the command tmux, you should see a new window open within your ssh client. We will now use the command of $tmux to force open a second instance. We can swap between the two instances by pressing ctrl+b simultaneously with an immediate follow up of shift+9 or shift+0. You should see session instances change in the bottom.

In one instance we will type echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -l -p 55000 to echo last level's password and then open a port and start listening on it. We can now switch to our other instance using ctrl+b followed by shift+0 and execute the file in the home directory making sure to use the same port as we did in the first instance: ./suconnect 55000

As can be seen, one instance confirms the passwords match and that the password for bandit21 is being sent. Swapping to our other instance shows the password for the next level. Congratulations!

Password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Previous Level

Next Level