Login Brute Forcing Module - Skill Assessment

Looking for a little help. I have the user and the correct fail string and parameters for the Skill Assessment - Website in the Login Brute Forcing Module. I am not getting a hit with the usual password lists (rockyou-10.txt, rockyou (times out before completing). Any nudge in the right direction would be appreciated.

I have looked at other forum posts and noticed that others had similar issues. Appreciate any help.

part of the hydra arguments: http-post-form "/admin_login.php:user^USER^&pass=^PASS^:F=<form name='log-in'"

Hey! I would recommend using a larger rockyou.txt password list. rockyou-10.txt will not work! But as you said the largest one times out. There should be others larger than rockyou-10.txt and smaller than rockyou.txt. Just keep increasing the list size until you find it!
-onthesauce

Thanks I have tried all from 10 to 70 with no success. I am at a loss. I know it is likely something simple, but I can’t figure out what it is.

I commented too soon on my own thread - my syntax is the same as yours. I’ve changed the F=<form name=‘log-in’" to S=‘log-out’ or S=‘HTB’" trying to find creds that work. I either get no password or passwords that don’t work.

Looks like we both initially missed it. Crazy what the lack of a = can do.

For others reference this should be user=^USER^
-onthesauce

http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'" is what I've been running over and over again.

I’ve tried running the sed commands against the rockyou.txt files (from the password policy example) trying to avoid the false positive passwords, but it hasn’t worked. I have no idea what I’m missing here.

That looks right. Are you using the user name from the first question?

Sorry for the delayed response - I took a break for a week. I’m using the same username as I did for the first question, which the hint says to do.

my full syntax is hydra -l admin -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-75.txt -f 68.183.41.76 -s 31630 http-post-form “/admin_login.php:user=^USER^&pass=^PASS^:F=<form name=‘log-in’”

The only thing I can see that seems odd is the ip starts with 68 and should probably be 168. But when you respawn the box it will give you a new ip to work with. Aside from that I would say this looks correct.

No idea about “SSH” part, how do you design your dict?