How to HYDRA – HTTP POST

DISCLAIMER!

This information is written to help with any sort of CTF style challenges, please do not go attempting this against a live website i.e your friend/ex’s/cats social media for the following reasons;

1: You are breaking the law! If you ever intend on working in a Cyber Security role, something like this on a criminal record is not worth it!

2: You’re not likely to succeed – most accounts have automatic lockouts, remember when you get your password wrong 3 times? Same principle.

3: To an intrusion detection system this stands out, its the equivalent of a burglar setting off your alarm!

With that out of the way, the reason I’ve wrote this is because the HTTP POST FORM function of HYDRA took me a while to get my head around.

The Post Form Syntax

Im going to use the syntax from my Try Hack Me Mr. Robot to show a working example as well as the theory.

The basic syntax for these are

hydra -l <USER> -p <PASSWORD> <IP_ADDRESS> http-post-form "<LOGIN_PAGE>:<REQUEST_BODY>:<ERROR_MESSAGE>"

There are also options that go along with this;

With the username and password, it matters if it is an uppercase L or uppercase P.

If they are uppercase you are going to need to specify the filepath and name of the dictionary you want it to use for either the username or password. If they are lowercase you need to enter a value for either the username or password.

To enable verbose output add -V

To stop when you have a correct login add -f

Now to capture the request body you can capture this from either Burpsuite or you can do this through Firefox, I do use both and for me the only thing it comes down to is if ive got Burpsuite already open.

Method 1 – Burpsuite

There are multiple guides on how to use Burpsuite and tryhackme has an entire room and lesson to Burpsuite,

Once youve got your proxy and intercepted the request, You will have a screen like the below. On line 14 you can see the request body and this is what you need to copy. The request body can differ massively, some are more complex than others.

burpsuite option for hydra

Method 2

Method two involves Firefox which does work just as well as Burpsuite for these requests, the below images are taking from a THM box and not a live wordpress site.

On the image below I am on the login screen with my network tab on Firefox visible, now I’m going to type some random entries into the username and password to get a request.

using firefox to capture the post command

Below I’ve got my failed login with the “Error: incorrect username” displayed which we are going to use for our error message and we can see the POST request in the network tab, so to get my request body you need to click on edit and resend.

using firefox to capture the post command
using firefox to capture the post command

Once You’ve clicked on edit and resend you will have something that looks like the below

using firefox to capture the post command

The bit your going to copy is the entire line in the request body which will look something like this.

log=GuessUSER&pwd=Guesspass&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.236%2Fwp-admin%2F&testcookie=1

Now to get your request body to work with Hydra, you need to tell it where the username and password fields are, so in this example I used GuessUSER for the username and Guesspass for the password.

To designate the user field in hydra you need to use ^USER^ and for the password you need to use ^PASS^

So this request body becomes;

log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.236%2Fwp-admin%2F&testcookie=1

Putting it all together!

So now I have the information I need, in this example we are going to use the dictionary to complete a dictionary attack to get a username, this can be done for the password after.

hydra -L fsocity.dic -p guessing 10.10.129.236 http-post-form "/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.129.236%2Fwp-admin%2F&testcookie=1:F=Invalid username"

In the above example, you can see that I’ve used an uppercase -L to show that’s the part i want HYDRA to use the dictionary for.

The lowercase -p shows that i want it to use that same password for every attempt.

we then have the request body we captured from either Firefox or Burpsuite and put our ^USER^ and ^PASS^ elements in.

And we finished with F=Invalid Username which tells Hydra when it receives that specific message the username was wrong.

Conclusion

I hope this helps with your CTF challenges and once mastered, it really does make it easier and it stays with you.

Again, please do not try this against any live website as they do have multiple measures in place to detect these attempts, this is just for educational purposes relating to CTF challenges.

Marc