[Difficulty Level: Easy] [Time: <15 minutes] [ Password Cracking ]
This article was written to document my solution to “Lernaean Hydra”, a retired hack the box web Challenge created by Arrexel. This tutorial involves password cracking and a little network packet analysis. Hack the Box is a popular free platform used to build offensive security skills.
This challenge was solved using a Google Cloud preemptible n1-standard-8 instance (8 vCPUs, 30 GB memory) running Ubuntu 18.04 LTS. The packages used in this walk through included openvpn and hydra. It was also necessary to download a decent password list; I got mine from the Skull Security Wiki.
The Lernaean challenge is comprised of the following steps: (1) Observations and Reconnaissance, (2) Password Cracking/Brute Force Attack, (3) Cracked Password Submission, (4) Network Forensic Analysis, and (5) Solution and Flag.
Step 1: Observations and Reconnaissance
The Lernaean challenge is rated fairly easy as indicated by the difficultly bars in the screenshot below and was released on July 26th, 2017. It is described as follows, “Your target is not very good with computers. Try and guess their password to see if they may be hiding anything!”.
When you connect to the docker instance, the following website is served:
Observation #1: Searching the internet for the word ‘Lernaean’ brings up a lot of links that discuss a creature called a “Lernaean Hydra”. What a clue! Hydra is also the name of a popular password-cracking tool. This strongly suggests that I may need to use Hydra to solve this password-related challenge.
Observation #2: When checking out the challenge instance, the website asks its user to “please not guess the password.” 🤔 This combined with the instructions that read, “Your target is not very good with computers. Try and guess their password to see if they may be hiding anything!” also suggests that I may need to crack the password used here.
Observation #3: This site uses HTTP protocols and looks very bare bones. If you inspect the HTML the entire site is less than 25 lines long:
When I navigate to `Application`>`Cookies`>`[docker URL]` I’m not seeing anything super obvious going on in the cookies such as a Boolean value for authentication:
Initially, I ignored the hint given at the start of the challenge and I tried to see if there were any classic input sanitation vulnerabilities. I was unsuccessful in getting any values to return and instead was only able to get an “Invalid password!” response shown below.
At this point I determined it might be worthwhile to explore if appropriate authentication transmission security controls are implemented. I could do this by sniffing the traffic from the host to the challenge site to identify any sensitive information being sent in plain text or similar. Due to the strength of the challenge clue and observation #1, I begin solving this challenge using Hydra.
Step 2: Password Cracking and Brute Force Attack
Hydra takes just a little bit of tampering to get used to the syntax. The command used to launch this attack is shown below.
hydra -l admin -P passwordlist.txt docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password!" -s [PORT NUMBER] -t [thread count]
Let’s break this command down and get a feel for the processes that are occurring in the command above:
- `-l` : defines a username login string
- `-P`: defines the password list being used
- `docker.hackthebox.eu`: directs hydra to the appropriate URL
- `http-post-form`: defined the protocol to be used in this attack
- `“/:password=^PASS^:Invalid password!” `: here we are using the submission form values found earlier while inspecting the HTML code. `/:password=^PASS^` indicates that we will be using the values in the password file we specified earlier using `-P`. The `:Invalid password!` is the expected value to be returned by the site when a wrong password is entered.
- `-t`: number of allocated threads to perform this tasks
For general definitions of hydra options used above, call the hydra help page using the following command:
hydra --help | grep [search_term]
Hydra may take several minutes or longer, depending on the resources available to your computing instance and they way you run the tool. For example, if you take the default task count of 16, this task would take you roughly 8000 hours. However, using 64 I was able to crack this password in 23 seconds using the `rockyou.txt` password list.
Step 3: Cracked Password Submission
Now that we have the admin’s password we can use it in the input form.
LOL I guess the will be a bit more than just guessing the password 🙄 … I’m not seeing any flags here — this page only says we’re “too slow.”
Step 4: Network Forensic Analysis and Flag
From here I can try capturing the `http` requests and responses sent during authentication and investigate these messages for clues. To do this, I return to the home page and resubmit the known password `leonardo`; the subsequent web traffic will be captured using Wireshark. You can, however, use any sort of packet capture tool for this task.
Note earlier in observation #2 that this particular site is using `http`protocols. Use a packet analyzer to look at the captured network packets. There will probably be more than just the traffic we are looking for so be sure to filter these packets for `http`; only two should appear:
By inspecting these packets I found the HTB flag:
Thanks for reading!