Skip to main content

Over the Wire - Bandit 21

Bandit 21

 Objectives
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
Solution

 At first I thought there was already an open port with the application to send the password to.

bandit20@bandit:~$ lssuconnect


after running nmap and connecting to all the ports, I couldn't find one that would supply the password.....

so  let's role our own
we'll use netcat to setup a listener on a port we create that sends the password when connected to, then point their application in the home directory to connect to it and hopefully get our next password.

This does require two ssh sessions

SSH Server 

bandit20@bandit:~$ echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | netcat -lvp  55555listening on [any] 55555 ...



SSH Clientbandit20@bandit:~$ ./suconnect 55555


Results

SSH Server

connect to [127.0.0.1] from localhost [127.0.0.1] 48528gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr


SSH Client

bandit20@bandit:~$ ./suconnect 55555Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0jPassword matches, sending next password



Password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr



now in python

import socketimport sys
# Create a TCP/IP socketsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Bind the socket to the address given on the command lineserver_name = 'localhost'server_address = (server_name, 55555)levelpass = 'GbKksEFF4yrVs6il55v6gwY5aVje5f0j'print >>sys.stderr, 'starting up on %s port %s' % server_addresssock.bind(server_address)sock.listen(1)
while True:    print >>sys.stderr, 'waiting for a connection'    connection, client_address = sock.accept()    try:        print >>sys.stderr, 'client connected:', client_address        connection.sendall(levelpass)        while True:            data = connection.recv(32)            print >>sys.stderr, 'received "%s"' % data            if data:                connection.sendall(data)            else:                break    finally:        connection.close()




output serverwaiting for a connectionclient connected: ('127.0.0.1', 56788)received "gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr"received ""

output client - still the same commandbandit20@bandit:~$ ./suconnect 55555
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password


Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0jPassword matches, sending next password

Labels:

Comments

Post a Comment