OverTheWire: Bandit Level 20

Bandit Level 20 → Level 21

Level Goal: There is a setuid binary in the home directory that does the following: it makes a connection to localhost on the port you specify as a command line argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think

Method #1 – Using Echo and Ampersand Symbol (&)

➜  ~ ssh bandit20@bandit.labs.overthewire.org -p 2220
bandit20@bandit:~$ ls
suconnect
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.
bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234 &
[1] 22713
bandit20@bandit:~$ ./suconnect 1234
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[2]+  Done                    echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l -p 1234

Method #2 – Using Screen

➜  ~ ssh bandit19@bandit.labs.overthewire.org -p 2220
bandit20@bandit:~$ ls
suconnect
bandit20@bandit:~$ screen -S netcat ncat -l -k -p 1234
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
➜ [Press Enter]
➜ [Press Ctrl + a + d] (This detaches you from the background screen session)
[detached from 14121.netcat]
bandit20@bandit:~$ ./suconnect 1234
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
bandit20@bandit:~$ screen -r netcat
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Notes:

Basically how this works is you are finding a way to generate some kind of rudimentary network listener or backdoor and then connecting to it again via another terminal or by bringing a background terminal process to the foreground. In, short alternating sessions to read the input and output from each of your terminal instances.

References: