Hydra question

optcond · August 26, 2023, 1:32pm

Hello, I need some help with hydra tool. I am trying to bruteforce Jenkins on one of the starter machines.

└─$ hydra -L testuser -P testpass 10.129.8.179 http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password" -s 8080 -v
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-26 15:26:34
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:2/p:6), ~1 try per task
[DATA] attacking http-post-form://10.129.8.179:8080/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[STATUS] attack finished for 10.129.8.179 (waiting for children to complete tests)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-26 15:26:38

Hydra keeps telling 0 passwords found despite the fact that the password and username are definitely in the lists (12 records total). I tried :F=/loginError option also and the tool still can’t pick the login\password. What am I doing wrong? Thanks