Day 3 of Advent of Cyber 2023

Problem statement summary

After what all has happened earlier in day 2, now the hydra is coming to town! Before anything happens and in order to maintain the security the team must resort the backup tapes to recover systems. But the problem is that they can't unlock the IT room door and the password was changed too. So the only solution left is to hack back in and retrieve the backup tapes.

Objective:

After completing this task, you will understand:

  • Password complexity and the number of possible combinations

  • How the number of possible combinations affects the feasibility of brute force attacks

  • Generating password combinations using crunch

  • Trying out passwords automatically using hydra

What is brute force attack?

In simple words brute force is basically trying as many possible combinations of passwords in order to get the access but doing that manually could be a headache for sure. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks. The hacker tries multiple usernames and passwords, often using a computer to test a wide range of combinations, until they find the correct login information.

Counting the PIN codes

Consider a scenario where we need to select a PIN code of four digits. How many four-digit PIN codes are there? The total would be 10,000 different PIN codes: 0000, 0001, 0002,…, 9998, and 9999. Mathematically speaking, that is 10×10×10×10 or simply 104 different PIN codes that can be made up of four digits.

Counting the Passwords

Now this could be tricky but lets dive into it!

Conditions:-

  • A digit: We have 10 digits (0 to 9)

  • An uppercase English letter: We have 26 letters (A to Z)

  • A lowercase English letter: We have 26 letters (a to z)

In order to decode this we will use our attack machine.

Using crunch(a tool that generates a list of possible outcomes), command to enter is "crunch 3 3 0123456789ABCDEF -o 3digits.txt". This command has some specifications in it like :-

  • 3 the first number is the minimum length of the generated password

  • 3 the second number is the maximum length of the generated password

  • 0123456789ABCDEF is the character set to use to generate the passwords

  • -o 3digits.txt saves the output to the 3digits.txt file.

    Out up of attack box terminal after this command will be:

    Amount of data:-16384 bytes

  • 0MB

  • 0GB

  • 0TB

  • 0PB

    no. of lines : 4096

Hydra

WE need to review the Html page of code in order to find more threads:

  1. The method is post

  2. The URL is http://MACHINE_IP:8000/login.php

  3. The PIN code value is sent with the name pin

In essence, the primary login page at http://MACHINE_IP:8000/pin.php receives user input, forwarding it to /login.php with the identifier "pin." To systematically assess the security of this system, we employ Hydra, a password brute-force tool.

The Hydra command is structured as follows:

bashCopy codehydra -l '' -P 3digits.txt -f -v MACHINE_IP http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000

Breaking down the components of this command:

  • -l '' specifies an empty login name since only a password is required for the security lock.

  • -P 3digits.txt designates the password file to be used, containing potential passwords.

  • -f instructs Hydra to halt upon discovering a valid password.

  • -v activates verbose output, aiding in error detection and troubleshooting.

  • MACHINE_IP is the target's IP address.

  • http-post-form indicates the HTTP method employed.

  • "/login.php:pin=^PASS^:Access denied" has three segments separated by colons:

    • /login.php is the page where the PIN code is submitted.

    • pin=^PASS^ dynamically replaces ^PASS^ with values from the password list.

    • Access denied specifies that an incorrect password leads to a page containing this text.

  • -s 8000 denotes the port number on the target.

Executing this Hydra command is expected to take approximately three minutes to uncover the password. Below is an illustrative example of running the command:

bashCopy codehydra -l '' -P 3digits.txt -f -v MACHINE_IP http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000

This comprehensive approach aims to systematically test every potential password, utilizing Hydra's capabilities for efficient and thorough security assessment.
The provided Hydra command has proven successful in identifying the correct password. When executed on the AttackBox, this command is expected to conclude within three minutes. With the newfound password, you can now access the IT server room by entering it at http://MACHINE_IP:8000/ using the web browser on the AttackBox. This access enables control over the door, allowing you to proceed with the retrieval of backup tapes essential for the imminent system rebuilding process.

Task 1:

Using crunch and hydra, find the PIN code to access the control system and unlock the door. What is the flag?

Answer: THM{pin-code-brute-force}