[Day 17] Hydra-ha-ha-haa

This room is just usingt the hydra tool to brute force a web form and then SSH. Reading the description informs you that the once popular rockyou.txt wordlist is recommended (advise you follow those kinds of tips).

Use Hydra to bruteforce molly’s web password. What is flag 1? THM{2673a7dd116de68e85c48ec0b1f2612e}

If you don’t know how to use hydra, real quick: there’s a wizard that will guide you, yet for http-post-form there’s some steps you need to take.
First, go to the login page and view the source, find the form and make sure your input name matches (most often it’s user or username and pass or password or small variations thereof, however, sometimes, web developers get clever and rename them other things. So, just make sure to take that step, before you waste time brute forcing nothing.
Hydra command:
hydra -l molly -P /usr/share/wordlists/rockyou.txt -u -e sr -s 80 -m “/login:username=^USER^&password=^PASS^:incorrect” 10.10.172.189 http-post-form
username: molly – password: sunshine

Use Hydra to bruteforce molly’s SSH password. What is flag 2? THM{c8eeb0468febbadea859baeb33b2541b}

Nothing to know about the ssh module, there’s no special parameters (just be sure you’ve got the actual SSH port and not a honeypot, no rabbit holes in this room anyway)
Well, one thing, I guess. I tend to limit threads to 3 (an common sshd_config setting, default is 6, hydra recommends 4). This slows down your brute force attack, but it’ll keep it from crapping out.
Hydra command:
hydra -l molly -P /usr/share/wordlists/rockyou.txt -u -e sr -t 4 10.10.172.189 ssh
username: molly – password: butterfly