BreakMySSH is one of the most straightforward machines on DockerLabs — and deliberately so. Its single objective is to teach the mechanics of a dictionary-based SSH brute-force attack using Hydra. There is no web enumeration, no steganography, and no privilege escalation chain: the attack goes from zero to root in a single Hydra command. That simplicity makes it perfect for building muscle memory around the brute-force workflow before moving on to more complex machines.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/V0rt3xS0urc3/RedTeam-Portfolio/llms.txt
Use this file to discover all available pages before exploring further.
Machine Info
| Field | Details |
|---|---|
| Difficulty | Very Easy (Muy Fácil / Súper Fácil) |
| Category | Hacking Infraestructura |
| OS | Linux (Debian 12 Bookworm) |
| Key Techniques | Port scanning, SSH brute force |
| Default Target IP | 172.17.0.2 |
Phase 0: Launch Kali Portable
Open a second terminal and start your Kali Portable environment:Phase 1: Deploy the Machine
Downloadbreakmyssh.zip from DockerLabs. In your first terminal:
auto_deploy.sh— Bash script that launches the containerised machinebreakmyssh.tar— The vulnerable Docker image
Phase 2: Reconnaissance
Nmap Port Scan
Run a version-detection and default-script scan:
Findings:
Only port 22 is open. No web server, no FTP — SSH is the only way in.Vulnerability analysis: No known critical CVEs affect OpenSSH 9.2p1. This machine is not about exploiting a software vulnerability — it is about exploiting a weak password.
| Argument | Meaning |
|---|---|
-sC | Runs default NSE scripts |
-sV | Detects service and version info |
--min-rate 2000 | Minimum packet rate for speed (use carefully in real tests) |
| Port | Service | Version |
|---|---|---|
| 22/tcp | SSH | OpenSSH 9.2p1 (Debian 12 Bookworm) |
Phase 3: SSH Brute Force with Hydra
Since there is only an SSH service and no other enumeration path, we go straight to a credential attack. The approach is to test a list of common usernames against the fullrockyou.txt wordlist.
| Argument | Meaning |
|---|---|
-L usernames.txt | Wordlist of usernames to try |
-P rockyou.txt | Password wordlist |
ssh://172.17.0.2 | Target protocol and IP |
-t 4 | 4 threads — low enough to avoid overwhelming the SSH daemon |
root with the password estrella.
The
-t 4 flag keeps the thread count low. SSH servers can close connections or temporarily block IPs if too many simultaneous authentication attempts arrive. In this Docker environment, higher thread counts work fine, but 4 threads is a good habit for real-world testing.Phase 4: Access and Verification
Connect to the machine using the credentials Hydra found:root. No privilege escalation required — the machine was configured with root SSH login enabled and a weak password.
Explore the system and capture the flag:
Because we obtained root credentials directly via brute force, there is no privilege escalation step on this machine. The vulnerability is entirely in the password choice and SSH configuration — not in any Linux permission model flaw.
Post-Lab Cleanup
PressCtrl+C in your deploy terminal to stop and remove the container. Type exit in the Kali Portable terminal to close your session.
Key Takeaways
This machine demonstrates three compounding security failures that are all too common in real environments:Root SSH Login Is Dangerous
Allowing direct
root login over SSH eliminates the need for privilege escalation entirely. Set PermitRootLogin no in /etc/ssh/sshd_config and always require privilege escalation from a regular account.Weak Passwords Are Easily Cracked
The password
estrella is found in rockyou.txt within seconds. A strong, randomly generated password of 16+ characters would have made this attack impractical. A passphrase is even better.SSH Keys Beat Passwords
The most effective defence against SSH brute force is disabling password authentication entirely and requiring key-based auth. Set
PasswordAuthentication no in sshd_config once you have deployed your public key.Fail2Ban Stops Hydra
Even with a weak password,
fail2ban would have blocked Hydra after a configurable number of failed attempts (typically 5). Install it with apt install fail2ban and enable the SSH jail as a minimum baseline.