This course will walk you through a variety of exercises and techniques as part of a capture the flag (CTF) game called Bandit. This will make sure that you have the necessary skills in Linux in order to excel in penetration testing and privilege escalation.
Hi. We are currently inside of Bandit Level 24, and in this lecture, we're going to try and go to the Bandit Level 25. So, here you go. It says that a daemon is listening on port 30002, and we'll give you the password for the bandit25 if given the password for the bandit24 and a secret numeric 4-digit pin code. So, we're going to go into this port and we're going to supply the password and a 4-digit pin code. So, this is good. There is no way to retrieve the pin code except by going through all of the combinations. So, let's try that and select. I'm going to copy this bandit to level 24, and let me try to copy it one more time. I believe we couldn't get that one, so I'm just going to copy this one and come over here and see if we can paste it over there. Yeah, we can paste this. Of course, it doesn't make sense to hit enter because it won't do anything. We have to open a port and at least communicate with the 30002 port and just see how it works.
I believe we're going to have to do some brute-forcing as we are instructed over here because we don't know anything about that 4-digit pin code. So, it's something like 1234, 5555, but we don't know it. Yeah. So, we're going to have to try every combination. So, let me see how this works first. I'm going to create a Netcat command over here. So, here you go, it works. It asks for the password, and it says that I'm the pin code checker, so I'm going to paste this, not this but this, okay. I'm going to copy this, and I'm just going to delete this, and I'm going to paste this. I couldn't do that. Let me try it one more time. Paste this and let me just don't give any pin code and see what happens or just give 123456, something like that. And here we go. It says that enter the correct pin code, so let me try another one like this, and here we go. It works but we don't know the pin code. So, that's the problem over here.
So, as you can see, it might take some time because there are a lot of combinations like 10,000 combinations and we cannot do that, right. We have to write a script in order to make sure we optimize that process, and you can find it like that, but it will take some like hours or something like that. So, let's see if there's a Python over here, yeah, yes, there's a Python, and we can use Python in order to create a for loop. And also, we can use actually the Best Scripting one more time. We already know that we can write best scripts over here, and we can execute them. And you have seen how to do a for loop in the best script within the previous lecture, so let me show you what I mean. I'm going to go into the TMP folder. Okay. And I'm coming over here because we can write something over there. Right. We can create a new folder. We can create a new file and execute it.
So, I'm going to create another folder like we used to do, I'm going to create atil, or I'm just going to call it 24 because we are inside of 24. So, I'm inside of atil24. Okay. And I'm going to create a new best script file. And let me try that nano one more time and see if this works myscript.sh. No, it doesn't work. There is something wrong with nano, I believe, within the system. So, I'm going to try with vim. Okay, vim. And let's call this something else, not myscript.sh. You can call it anything you want, and vim is another editor. It's exactly like nano, but it's harder to use, so I don't use it very often in order to just keep it simple, but as you can see, I believe this works. So, if you hit 'I' on your keyboard, you go to the insert mode inside of vim, so this is a text editor as you can see, and we can write whatever we want over there. Right. So, it's the same thing, but it's actually harder to use. So, hit 'I' and try to type shift bank like hash and exclamation point, and you can write bin bash over here like this. So, here you go.
After the bin bash, let me try to copy and paste and see if copy and pasting works. So, let me come over here and paste this. Here you go. I believe this is working, so maybe we can make this equal to bandit24 password as I need to a variable, something like this. Okay. So far, so good. We managed to create a variable over there. Of course, we're going to write the rest, but for right now, let me test to see if we can save this file. In order to do that, hit 'Escape' on your keyboard. It will take you out of the insert mode. Now, you can write commands over here at the left bottom side of your screen. Now, I'm going to write :wq. So, it means that write it and then quit it. Okay, :wq. And if you hit 'Enter' after you write this, it will write it and then quit it. So, let me cut that out and see if this works. Yes, here you go. It actually worked, so there was something wrong with nano. I don't know what it is, but we can use vim, obviously. So, I'm going to go for vim one more time and complete my script over there.
And again, you can use Python if you want, but since we have started with Best Script, I'm going to continue with the Best Script. So, I'm continuing with the Best Scripting, and if you run this vim one more time, you can continue editing your script. So, what I'm going to do, I'm going to create a for loop. So, remember, for loops are loops that you actually run over and over again until the condition is met and the condition or a range is met. And the range here will be from 1111-9999 in order to test all the available digit pin codes. So, it's written like this. You have to follow me exactly while I'm writing over here, or else it wouldn't work. So, I'm going to call this I, and inside of the curly braces, I'm going to specify a range. So, our range will be from 1111-9999, and I don't know if it's supposed to be from 0000, but I'm just going to try it like this. So, in order to specify a range in best scripting, you can do it like this 1111..9999, and then, you can say, do. So, don't forget the semi-colon over there. And after do, you can specify what's going to happen inside of this loop. Every time this loop gets called, we're going to write echo. Okay. And just give the Bandit24 password over here. So, this is our variable holding that password value for us. And with a space, you can write something like 'I' over there, and 'I' stands for the individual pin that we have at that point. So, 'I' will be 1111 1st and then 1112, 1113, 1114 up until 9999. So, it's going to repeat that process again and again until it's finished or until we get the result back from the server and it get executed, and it got canceled. Okay. And we can just write down over here, and I believe that's our for loop. Right? And of course, we're going to have to create a connection between the port that we're trying to send this too. So, what I'm going to do, I'm going to pipe this, pipe this for loop like that with a piping sign. After done, I'm going to take every input from here, and I'm going to pipe this to the Netcat, so that it can forward this information to the local host 30002, like this. Okay. So, do :wq and hit 'Enter,' so it will write and quit. And if you cat myscript.sh you will see the final result over here. So far, so good. Now, all we have to do is just make it executable like CH mod 777 myscript.sh. Now, if we run this myscript.sh, it will do what we have instructed it to do. So, it's going to try every possible pin code on that port. So, I'm just going to write this ./myscript.sh in order to execute this. And here you go. It's trying and trying and trying, and the connection is closed, then we find the correct one, and here we have the password for the bandit25. Yes, let's copy this. See, this is fun. I told you so. I'm going to come over here, and nano the password .txt. At least nano works in our own Kali Linux, so that we don't have to deal with vim. So, I'm going to come over here to level 25 and save this and just come out of this. So, right now, we know how to go into the bandit25, so I'm going to just do it and see if that password is right or not. And if this is right, we're going to stop here. Let's just test this. I'm going to paste the selection and hit 'Enter.' And here we go. We are inside. So, I'm going to stop here and continue within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.