I have been attached to it for a long time now, brute forcing the authentication and getting the flag.
I have already read the instructions / question several times.
hydra always hangs for a long time and tries combinations for hours.
What is not quite clear to me is whether you can or must also use information from the previous assesments. So it’s still about Bill Gates.
***EDIT: Immediately after posting it finally worked, I respawned the target again after realizing the command would complete stating that the target could not be found. and it worked using rockyou-10.txt for myself. ***
Hey there, I just made an account for here as I am experiencing some troubles with this module. I am on the login form attacks section, and you know following the examples…
-P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt
However it completes like normal using:
-P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-05.txt
I tried to cat the rockyou.txt file and get prompted for admin password.
Me too I am stuck here. Did you get the solution, would you mind giving me a pointer?
Which part are you stuck on? I believe this Skill Assessment was a two part Assessment.
I am stuck on the second question, i.e. logging in into admin_login.php
I have reread the whole section and compiled a list of all usernames we had so far in this module (b.gates, m.gates, user, admin, thomas, abbas) and use rockyou-10.txt as a wordlist.
However, hydra does not find any results. I was adapting the Fail-String as well as the query parameters.
I assume a short wordlist should be sufficient, as this is just a learning module
Before you get too deep, I think you hit a little forum trap from reading previous posts. Read the hint for the second question.
If you have completed the first question then you already have a username.
So focus on the password list and definitely definitely focus on the fail string. I think that is another big hurdle for people trying this assessment.
DM me if you need further help. But I think that should get you rolling.
-onthesauce
Hahah. I was looking too far. Thanks a lot!
Been there done that haha! No problem, again feel free to reach out.
-onthesauce
Hi,
I’m stuck as well at the second question. I have tried different wordlists with no luck.
Can you help me out , please?
use the username from the previous question
Any hints on the fail string? I ended up with 50+ usable passwords, none of which worked.
can someone give me a hint? i think I have the fail string correct and I’m using rockyou-10.txt but I cant get it 
what wordlist on username?
I still trying to figure out the list. I just used rockyou.txt and every time i got different passwords
There is probably something wrong with your failstring or parameters. Feel free to DM me, but give those a double check. I would also recommend using a list of rockyou-50 or above, but not the full rockyou.txt list.
-onthesauce
no i use admin_login.php but i dont really get what do you mean by ‘‘failstring’’. Also every time i use rockyou#.txt i get different passwords for some reason
I would go back and review some of the material again. When building the hydra command you should be using the http-post-form and in the quotes should be file-to-target:post-parameters:fail/success-string.
That gives hydra the file/form to target, the parameters to load data into, and the string to check for after sending the attack. If there is no failstring to check for, or if that fail string is wrong then it will mess with the output.
As I said before, feel free to DM me the line you are using and I will help guide you.
-onthesauce
pay attention to the sections. after ‘‘F=’’ you have to put something that is NOT going to be there after you log in.
I spent 2 days with this, and I was just pissed,how this misleading it was.
First:
Intro says:
"Our customer requested an additional black box penetration test for another host on its network. After our host and port scans, we discovered just one single TCP port open.THIS PART >>>>>>Since we’ve already found weak credentials on the other host, the new host may be vulnerable to the same vulnerability type. We should consider different wordlists as well during our engagement. <<<<<<<<
Oh, and let’s not forget about those previous usernames that people think they can use. Sorry, folks, but it’s not happening. No adm…, b.ga…, or m.ga… for you! It’s like trying to fit a square peg into a round hole. It’s just not gonna work.
Second, they give us this cheat sheet that’s about as useful as a chocolate teapot.
HTB version of Cheat Sheet According to it, we should use “username=” and “password=” in our command line. But wait, that’s not true! As it turns out, those are just going to give us false positive passwords. If we want to find the correct password in less than a minute (because who has time for anything else?), we need to use the Hydra examples instead: “user=” and “pass=”. BOOM! See, isn’t this fun?
hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"
######### Hydra says:
from the hydra -U http-post-form
"Examples:
“/login.php:user=^USER^&pass=^PASS^:incorrect”
How to pass headers so I wont get an error?
hydra -C /creds <IP> -s <PORT> http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=Login:H=Authorization\: Basic <ENCRyPTED>;Cookie\: PHPSESSID=<COOKEI>" -I -V
[ERROR] no valid optional parameter type given: F