This will be a walk through of the Hydra Room on Hydra is an essential tool for any ethical hacker or penetration tester so it is very important to become familiar with it. Hydra is a brute forcing tool most commonly used to brute force log in pages. It accomplishes this by using what’s called a dictionary attack. Hackers feed Hydra wordlists that contain either passwords or usernames to enter into the text fields. Hydra then submits them in rapid succession till it finds a value that passes the login page and displays the credentials on the command line. In this room we are given a username so we only have to obtain the password to get the flag. I will be using the rocky.txt wordlist for this room; be mindful that your wordlist may be located in a different location on your computer so copying my commands exactly may not work as you won’t be feeding hydra the wordlist properly.

“Use Hydra to brute force molly’s web password. What is flag 1?”

The first thing we need to do is build our command for hydra. Using hydra over HTTP is probably the most tedious of the protocols and can be the most frustrating to write as one syntax error foils the whole command. We’ll start by looking at the command and then breaking it apart

The command begins with “hydra”. So far so good. Next we need to enter our username. THM tells us our username “molly”. We denote this with a “-l”. It is very important that the L is lowercase because that denotes that the username is fixed and we do not need a word list, otherwise we would use “-L” and then feed it a wordlist. Next up is “-P” this flag indicates that the following input is the path to our wordlist. If this was a lowercase “-p” then that would tell hydra that the following input was the password and not a wordlist to use in the attack. Next we put in IP address of the website we are attacking

The next part is the trickiest and varies from website to website. We need to enter in the HTTP info into the command which essentially tells hydra the values it needs to change and how to know it has succeeded. One way to do this is to first try some default credentials like admin:admin and intercept the request using a proxy tool like burp or zap.

Note: I forgot to screenshot my proxy the first time so the IP is different just ignore that

Beginning at the top you can see that we are using the HTTP POST form and the current page is /login. Next we see that the website has entered in our credentials at the bottom as “username=admin&password=admin”. This is important for our syntax because in our command we enter it as “username=molly&password=^PASS^”. This way the website will process all of hydra’s request properly. Next we need to tell hydra when to stop, but how will it know? For that we use the F flag and set its value equal to whatever the website displays after receiving incorrect credentials. It could something such as “Incorrect username” or “That user does not exist”. Then when hydra doesn’t receive that reply it knows it has the right password. In our case we need to enter “Your username or password is incorrect.”

Once we put is all together it should look something like this.

(Note the colons used to separate data towards the end

Now all we have to do is run the command to obtain the password. It should only take a couple seconds so if you find yourself waiting for more that say 30 seconds double check your syntax and re-enter the command. You can also add a “-V” at the end to make it verbose to watch every attempt; though this can muddy up your terminal screen. However, it also makes your screen move super fast like it does in hacker movies so there are pros and cons.

I won’t be sharing the password here because that would ruin the fun but it should look like this.

“Use Hydra to brute force molly’s SSH password. What is flag 2?”

If you obtained the first flag then this one is a walk in the park. You use all of the same principles except this time you can get rid of all the HTTP input and simply put in “ssh” like so.

After you get the password you can connect to the machine via SSH and get the flag!

A bonus tip:TLDR

There can be a lot of different syntax rules depending on which protocol you’re attacking and it can be hard to remember them all and reading all of the manuals is tedious and time consuming. One command line tool that helps is “tldr”. This tool provides condensed versions of a few of the capabilities for not just hydra but dozens of other commands and can be a big time saver.