The Goal

There is a setuid binary called suconnect in the home directory. It connects to a port you specify on localhost, reads a line, and compares it to the current level's password. If it matches, it sends back the next level's password.

The Approach

This requires two processes running at the same time: a listener that holds the current password, and suconnect connecting to it. Two separate SSH sessions (or two windows in a terminal multiplexer) accomplish this.

In Terminal 1, start a listening server on an arbitrary port:

# Terminal 1
bandit20@bandit:~$ nc -vl localhost 50004
Listening on localhost 50004

In Terminal 2, run suconnect pointing at the same port:

# Terminal 2
bandit20@bandit:~$ ./suconnect 50004

Back in Terminal 1, the connection is received. Type the current level's password:

# Terminal 1 (after suconnect connects)
Connection received on localhost 37908
password

Terminal 2 confirms the match and sends the next password back to Terminal 1:

# Terminal 2
bandit20@bandit:~$ ./suconnect 50004
Read: password
Password matches, sending next password
# Terminal 1 (receives the next password)
Connection received on localhost 37908
password
password

Using tmux

A terminal multiplexer like tmux handles both windows within a single SSH session. Start a new session with tmux, then use Ctrl-b c to create a new window and Ctrl-b 0 / Ctrl-b 1 to switch between them. The commands above work the same way across the two tmux windows.

Commands Covered

  • nc -vl localhost port, start a listening TCP server on a local port
  • tmux, terminal multiplexer for managing multiple windows in one session
  • Ctrl-b c, create a new tmux window
  • Ctrl-b 0-9, switch between tmux windows by number