Bandit20->21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
Commands useful to solve the level
Helpful Reading Material
- Bash Job Control
- List of Commands
- How to move a running process to background UNIX StackOverflow Discussion
Where to start?
We can start this level by running the executable su_connect without any argument to try and get a better feel of what we should do with this program.
Here is the output from this command :
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.
suconnect is a TCP client, this means that
we need to set up a server in order for our suconnect client to communicate with.
Part 1 : Setting up a TCP server that sends the password
The first part of this challenge is to set up a TCP server that we will use to send the password to any host that would be trying to connect.
Hint
Using the CLIENT/SERVER MODEL of the nc command, can you figure out a way to set up a server that will listen for incoming connections and send the password to any client that connects to it?
Solution
Let's copy the exact same code from the nc man page example. Here is the command we're going to use :
nc -l 1234
By running the following command :
nc -l 1234 < /etc/bandit_pass/bandit20
Part 2 : Running the TCP server as a background process
After running our command, we can notice that the TCP server is waiting and that we won't have any access to our terminal while the server is still running. Our goal here is to find a way to keep the server open and to communicate with it using the same terminal session.
Hint
By using the Helpful Reading Material, can you figure out a way to run our server as a background process so that you can continue communicating with the server using your current terminal session?
Solution
To continue communicating with the server using the current terminal session, we need to
launch it as a background process, this means that the exit status of our command will be 0 and
that bash won't wait for the completion of your command to give us back the control of
our terminal session.
Here is the command we're going to execute.
nc -l 1234 < /etc/bandit_pass/bandit20 &
Part 3 : Communicating with our server
Now that we have a server running and listening on the port 1234, we can use our executable to communicate with it. This part is pretty straightforward so there won't be any Hint.
Solution
We just need to run the executable suconnect and to specify it the right port number.
Here is the output from that command :
bandit20@bandit:~$ ./suconnect 1234
Read: bandit20_pass
Password matches, sending next password
bandit21_pass
[1]+ Done nc -l 1234 < /etc/bandit_pass/bandit20
bandit20@bandit:~$
Full Solution
nc -l port_number < /etc/bandit_pass/bandit20 &to run a server listing on port_number in the background../suconnect port_numberto retrieve the password for the next level.
You can now jump to the next level