OverTheWire Bandit Write Up – Level 20

The last level was really fun, learning that a binary can be used to execute commands under a different user, will come in handy in the future. Moving forward this information, do bandit level 20 should be easier. If you haven’t had a chance to read my OverTheWire Bandit Write Up – Level 19 write up, give it a quick read then head back over here.

Level 20

This level, similarly to the last has a binary located in the bandit level 20 user directory. Using the binary I will be able to make a connection to localhost on a port I specify. Once connecting I can send the password for level 20 and it will output the next level password.

Let’s Start Hacking Then

Before I can do anything, the first thing I need to do is initiate a SSH connection to the system.

ssh bandit20@bandit.labs.overthewire.org -p 2220

I’m then prompted for the password, I enter the one I got from the last level and I’m in. It’s now time to start playing. I start by checking what I have in the current directory with the ls command. I’m then presented with a single binary suconnect. Before I can use the binary effectively I need to know how it works. I run the following;

./suconnect

To which I am presented with the following output

This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.

At this point I was unsure what port I needed to use so I started with port 22. However, this just gave me an error and exited the binary. I then thought maybe the port would be found using the netcat command however, the ports available were not correct either.

Now feeling defeated with this level I spent another 1-2 weeks thinking about where I was going wrong and just came up stumped each time. This was then when I thought I would ask for a hint from the OverTheWire community. I headed over the IRC and spoke with a really helpful person who pushed me towards the following information.

the main thing to be aware of here is the client/server distinction and which role the suconnect program takes

Taking this new information I finally realised what I needed to do, and that was to setup both the server and the client on same machine. There are a couple of ways to do this. I can use the screen command that I had to use in a previous level, or use tmux. tmux was going to be my chosen option as this would allow me to split the terminal view in half. To load a tmux terminal I run the following.

tmux

I can now split the tmux session into two halves using Ctrl+b ". The terminal is now split with a horizontal line across the middle. In bottom of the two windows I use the following command to listen on port 1234 with the -l argument.

nc -l -p 1234 localhost

I then use Ctrl+b (up arrow) to go to the top window while leaving the nc server running below. Now in the top window I run the following command to initiate the nc connection.

./suconnect 1234

I now need to send the bandit level 20 password from the server to the client. Moving to the bottom window using Ctrl+b (down arrow) I then paste in the password and press enter. In the top window I then see the follow

Password matches, sending next password

…and Wham! Bam! Thank you ma’am! I have the password now for level 21.

Level 20 Complete

I have hidden the password here, if you are playing along don’t peek! Please! It’s more fun getting it yourself.

Leave a Reply