Bandit Level 20 → Level 21
Level Goal: There is a setuid binary in the home directory that does the following: it makes a connection to localhost on the port you specify as a command line argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
Method #1 – Using Echo and Ampersand Symbol (&)
➜ ~ ssh email@example.com -p 2220 bandit20@bandit:~$ ls suconnect bandit20@bandit:~$ ./suconnect Usage: ./suconnect <portnumber> This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back. bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234 &  22713 bandit20@bandit:~$ ./suconnect 1234 Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j Password matches, sending next password gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr + Done echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l -p 1234
Method #2 – Using Screen
➜ ~ ssh firstname.lastname@example.org -p 2220 bandit20@bandit:~$ ls suconnect bandit20@bandit:~$ screen -S netcat ncat -l -k -p 1234 GbKksEFF4yrVs6il55v6gwY5aVje5f0j ➜ [Press Enter] ➜ [Press Ctrl + a + d] (This detaches you from the background screen session) [detached from 14121.netcat] bandit20@bandit:~$ ./suconnect 1234 Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j Password matches, sending next password bandit20@bandit:~$ screen -r netcat GbKksEFF4yrVs6il55v6gwY5aVje5f0j gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Basically how this works is you are finding a way to generate some kind of rudimentary network listener or backdoor and then connecting to it again via another terminal or by bringing a background terminal process to the foreground. In, short alternating sessions to read the input and output from each of your terminal instances.