Almost every bruteforcing or cracking task from HackTheBox/TryHackMe uses the rockyou.txt wordlist. You can google it and download it, if you can’t find it in your Kali distro under the path /usr/share/wordlists/rockyou.txt.gz
If you’re using Kali then you have Hydra already installed, all you have to do is run two commands:
Run the following command, the password should be cracked in less than one minute.
Here’s how I’ve solved the Bitlab machine on Hack The Box.
As usual we start of with a nmap scan:
root@kali:~# nmap -p- -sV 10.10.10.114
Nmap scan report for 10.10.10.114
Host is up (0.044s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.44 seconds
The scan shows an nginx web server and ssh. If we visit the web server we’ll find a Gitlab instance. Gitlab is used by developers to host their source code. I tried searching for exploits but nothing came up.
As the developer we find two code repos, Profile and Deploy. We only care about the Profile one, any edits we make to the repo get reflected in the http://10.10.10.114/profile page, because Gitlab auto deploy is configured that way.