Try Hack me — Advent Of Cyber 2023 Day 3 Write Up — Hydra is Coming to Town

Room: Advent of Cyber 2023 Day 3

Detective Frost-eau looking for his snow arm

Day 3 is starting with a bang, detective Frost-eau catching an intruder and losing his arm! Still he commences the chase!

After an explanation about how unsafe PIN codes are, I continue wondering why this is so often used for banking and government apps. Only having limited attempts to succesfully enter the PIN is one measure of security, but still I think there are better ways. What do you think?

We’ll Start of with Crunch, a tool that generates a list of all possible password combinations based on given criteria. We need to issue the following command:

crunch 3 3 0123456789ABCDEF -o 3digits.txt

The command above specifies the following:

• 3 minimum length
• 3 maximum length
• 0123456789ABCDEF character selection
• -o 3digits.txt output file location

So lets make the file!

The generated file should look like this, every line contains a possible combination of the provided charachters.

Next we’ll launch hydra on the login page. When viewing the page source we find that a post request is sent to login.php.

hydra -l ‘’ -P 3digits.txt -f -v MACHINE_IP http-post-form “/login.php:pin=^PASS^:Access denied” -s 8000

• -l '' indicates that the login name is blank as the security lock only requires a password
• -P 3digits.txt specifies the password file to use
• -f stops Hydra after finding a working password
• -v provides verbose output and is helpful for catching errors
• MACHINE_IP is the IP address of the target
• http-post-form specifies the HTTP method to use
• "/login.php:pin=^PASS^:Access denied" has three parts separated by :
• /login.php is the page where the PIN code is submitted
• pin=^PASS^ will replace ^PASS^ with values from the password list
• Access denied indicates that invalid passwords will lead to a page that contains the text “Access denied”
• -s 8000 indicates the port number on the target

A few minutes later we find the password in the terminal.

Using the password to get into the website, we find a button called “Unlock Door”. Pressing this button will make the flag visisble.

Happy Hacking!