Login

  • ssh : ssh bandit20@bandit.labs.overthewire -p 2220
  • password : 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO

Task :

  • to get the next level password you have to connect to localhost on a port (not mentioned) , using the given setuid binary (suconnect).

Theory

  • The nc (netcat) command isn’t just for connecting to remote servers, as seen in [[bandit14|level 14]] it can also be used to create a simple TCP server using nc -l <port>.

  • In this level, the provided setuid binary connects to a specified port on localhost and expects to receive a string (the password for bandit20). If the received string is correct, it responds by sending back the password for the next level.

  • With this in mind, we can set up our own server using netcat, listen on a chosen port, and when the binary connects, send it the correct password manually or via a script to retrieve the next level’s password.

Solution

I used netcat (nc) to create a simple server, but since the challenge requires the server to send data to the client after a connection is made, we need to inject a string (the password) as soon as the client connects. This can be done using echo:

echo bandit20password | nc -l 23023

This command sets up a TCP server that listens on port 23023, and once the binary connects, it immediately receives the password from the echo command. We can run this in the background using & so that the terminal remains usable:

echo bandit20password | nc -l 23023 &

Then, we run the provided binary:

./suconnect 23023

If the password is correct, the binary will respond by sending back the password for the next level (bandit21), which will be printed in your terminal.

Alternative: Using Two Terminal Sessions

Instead of automating everything with echo, I tested the behavior manually by using two terminal sessions and logging into bandit20 from both:

  • Terminal 1 (Server):
nc -l 23023

Before connecting from the second session, I manually typed the correct bandit20 password into this terminal (this simulates what echo would do automatically).

  • Terminal 2 (Client):
./suconnect 23023

Once the binary connects, it receives the string I entered in Terminal 1, checks if it’s valid, and if so, sends back the password for the next level. Returning to Terminal 1, I can see that the binary’s response — the bandit21 password — has been printed.