🍡Using Hydra
The first command given to break down was "hydra -l <username> -p <full path to pass> MACHINE_IP -t 4 ssh"
The following table shows which option does what.
-l
username
-p
list of passwords
-t
specifies the numer of threads
The next command, "hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^password=^PASS^:F=incorrect" -V
The following table breaks each part in this command down.
-l
single username
-p
indicator to use the password list
http-post-form
indicates the type of form
/login url
login page url
:username
form field to enter the username
^USER^
tells hydra to use the username
password
form field where the password is entered
^PASS^
uses password list supplied prior
Login
login failed message indicator
Login failed
login failure message
F=incorrect
if it appears on the page, its incorrect
-V
verborse output
Using the commands we learned, we are instructed to use Hydra to find Molly's passwords.
The first thing I did was go through my usr/share/wordlists folder to find my available wordlists that were already preinstalled. The one I ended up using for this exercise was rockyou.txt.
Using the command, "hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.100.155 http-post-form "/login:username=^USER^password=^PASS^:incorrect" -V" I used Hydra to brute force molly's password.
Going back to the web server available on this IP, I used the credentials given to login and capture the first flag.
To find Molly's ssh password, I used the command, "hydra -l molly -P /usr/share/wordlists/rockyou.txt".
Using these credentials, I was able to login to molly's system.
From here, I was able to search around the directories to find the flag.
Using "ls" to list the files in the current directory and then using "cat" to read the file found, I was able to find the second flag.
Last updated
