Bandit20 - bandit21

From JaxHax
Jump to: navigation, search

Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).


NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.


NOTE 2: Try connecting to your own network daemon to see if it works as you think


Solution

You don't actually need two shells for this one, you can simply use "&" to background your nc server. Basically we will setup a netcat server and pipe the current password file into it and tell suconnect to connect to our netcat server.

bandit20@melinda:~$ ls
suconnect
 
bandit20@melinda:~$ ls -lh
total 8.0K
-rwsr-x--- 1 bandit21 bandit20 7.9K Nov 14 10:32 suconnect
 
bandit20@melinda:~$ ls
suconnect
 
bandit20@melinda:~$ ls -la
total 28
drwxr-xr-x   2 root     root     4096 Nov 14 10:32 .
drwxr-xr-x 167 root     root     4096 Mar 21 06:46 ..
-rw-r--r--   1 root     root      220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root     root     3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root     root      675 Apr  9  2014 .profile
-rwsr-x---   1 bandit21 bandit20 8006 Nov 14 10:32 suconnect
 
bandit20@melinda:~$ nc -l -p 45566 < /etc/bandit_pass/bandit20 &
[1] 5649
 
bandit20@melinda:~$ nc localhost 45566
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
[1]+  Done                    nc -l -p 45566 < /etc/bandit_pass/bandit20
 
bandit20@melinda:~$ nc -l -p 45566 < /etc/bandit_pass/bandit20 &
[1] 16738
 
bandit20@melinda:~$ ./suconnect 45566
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[1]+  Done                    nc -l -p 45566 < /etc/bandit_pass/bandit20
 
bandit20@melinda:~$