Room: Advent of Cyber
Difficulty: Beginner
“You suspect Elf Molly is communicating with the Christmas Monster. Compromise her accounts by brute forcing them!
Use Hydra to brute force Elf Molly’s password. Use the rockyou.txt password list, which can be found here.”
Elf Molly?! Wow…shocking. Let’s get to the bottom of this.
For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali Machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.
Question#1 Use Hydra to bruteforce molly’s web password. What is flag 1? (The flag is mistyped, its THM, not TMH)
I started off by running an nmap scan to see what info I could gather. It will most likely just show the two ports referred to in the questions, 80 and 22.
Yep, let’s head on over to the website.
Lol! That’s lovely…
In order to use Hydra to get the login credentials, we need some info first. Right click and choose “Inspect Element”. We will need to figure out what type of request the web form is making.
Head to the Network tab:
Next, make up some random username and password combo and hit login. It can be anything, we just want to see what is going on behind the scenes, not try to guess the password at this point:
The website is using POST for the login form. Click on POST and another tab will open up that looks like this:
Click on Resend in the top right corner, then Edit and Resend:
You should now see something like this:
Under the Request Body section at the bottom, you can see the format the POST request is using.
You will also notice the message we got from cheeky Santa after we tried our incorrect login info:
“Your username or password is incorrect”, which is also something we need to know.
We have enough information at this point to attempt Hydra. Use the following command:
hydra -l molly -P <path to rock you> <target ip> http-post-form “/login:username=^USER^&password=^PASS^:F=incorrect”
The source material has a nice chart which breaks everything down:
Notice that you actually need a username for this method to work. The question states that we need to find “molly’s” password, which is why it is assumed that the username is molly.
Also, I had to redeploy my machines in the middle of this, so you will see different IP addresses moving forward.
Move on to the next question while that is running, or you will be waiting awhile.
Question#2 Use Hydra to bruteforce molly's SSH password. What is flag 2?
I definitely prefer to use Hydra with SSH, because it is way simpler. Here is the command you will use:
hydra -l molly -P <path to rock you> <target ip> -t 4 ssh
Now, let’s connect via ssh:
ssh molly@<target ip>
List the files and you will see an obvious flag2.txt. Open it for the flag!
I checked on our other instance of Hydra still running in the background, taking WAY too long. Bored, I started exploring the file system and found this:
There is a file on here that contains Molly’s login credentials for the web site and a flag? Hmm, I’m not sure if this was the intended solution?
Next, I tried the login on the web page just to double-check:
It worked! Make sure you change around “TMH” to “THM” before you turn the flag in. Looks like that was just a typo.
Looking at the instructions, it is saying that if Hydra makes more than 30 attempts, you’re wrong.
I would love some clarification on that, because while I was waiting I searched for other write-ups and they are all saying the same thing. I asked on Discord and got this response:
James also mentioned that the password IS in rockyou, but it is a long ways down. So technically you could still complete it this way, but you would just be wasting a lot of your time.
Happy Hacking! ❤
