There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 > whatis ssh ssh (1) - OpenSSH remote login client > whatis nc nc (1) - arbitrary TCP and UDP connections and listens > whatis cat cat (1) - concatenate files and print on the standard output > whatis bash bash (1) - GNU Bourne-Again SHell > whatis screen screen (1) - screen manager with VT100/ANSI terminal emulation > whatis tmux tmux (1) - terminal multiplexer
Note: Not all commands are required to complete the level
We have a binary file that can request a reads a line of text from a user-specified port. If the text is the same as the last level’s password we get the next level’s password.
So the first task that we need to do is set up a listener on any port on the system that will return the previous level password if we connect to that port using the binary file. We can set up a listener using the Netcat command.
(The password for the previous level is stored in
/etc/bandit_pass/bandit19 which we found in the previous level)
1 2 bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | netcat -lp 1234 &  14333
The -l flag is used to set up a listener and the -p flag is used to specify the port the listener should listen on. As we have not specified the IP Address the listener is going to run on localhost.
The “&” at the end of the command is used to specify that we want the command to run in the background. The
jobs command can be used to view all the processes/ jobs on the system
1 2 bandit20@bandit:~$ jobs + Running echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | netcat -lp 1234 &
Now that we have the listener setup we can use the binary file to connect on the same port
1 2 3 4 5 6 7 8 9 bandit20@bandit:~$ ls suconnect bandit20@bandit:~$ ./suconnect 1234 Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j Password matches, sending next password gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr + Done echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | netcat -lp 1234
As soon as we connect the password of the previous level was compared with the text that we had specified on port 1234 and since they matched we got the password for the next level
Logout of the current session and start the next level as bandit21
1 2 3 4 > ssh email@example.com -p 2220 This is a OverTheWire game server. More information on http://www.overthewire.org/wargames firstname.lastname@example.org's password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr