LOGIN BRUTE FORCING - Skills Assessment - Website

I have been attached to it for a long time now, brute forcing the authentication and getting the flag.
I have already read the instructions / question several times.

hydra always hangs for a long time and tries combinations for hours.

What is not quite clear to me is whether you can or must also use information from the previous assesments. So it’s still about Bill Gates.

***EDIT: Immediately after posting it finally worked, I respawned the target again after realizing the command would complete stating that the target could not be found. and it worked using rockyou-10.txt for myself. ***

Hey there, I just made an account for here as I am experiencing some troubles with this module. I am on the login form attacks section, and you know following the examples…

  1. I get an error stating that the password file doesn’t exist although I am using the exact same format in the example. I get this specifically using :

-P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

However it completes like normal using:

-P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-05.txt

I tried to cat the rockyou.txt file and get prompted for admin password.

  1. Don’t have much else to go off from, did you ever get past this?

Me too I am stuck here. Did you get the solution, would you mind giving me a pointer?

Which part are you stuck on? I believe this Skill Assessment was a two part Assessment.

I am stuck on the second question, i.e. logging in into admin_login.php
I have reread the whole section and compiled a list of all usernames we had so far in this module (b.gates, m.gates, user, admin, thomas, abbas) and use rockyou-10.txt as a wordlist.
However, hydra does not find any results. I was adapting the Fail-String as well as the query parameters.

I assume a short wordlist should be sufficient, as this is just a learning module

Before you get too deep, I think you hit a little forum trap from reading previous posts. Read the hint for the second question.

If you have completed the first question then you already have a username.

So focus on the password list and definitely definitely focus on the fail string. I think that is another big hurdle for people trying this assessment.

DM me if you need further help. But I think that should get you rolling.
-onthesauce

Hahah. I was looking too far. Thanks a lot!

Been there done that haha! No problem, again feel free to reach out.
-onthesauce

1 Like

Hi,
I’m stuck as well at the second question. I have tried different wordlists with no luck.
Can you help me out , please?

use the username from the previous question

Any hints on the fail string? I ended up with 50+ usable passwords, none of which worked.

  • disregard - onthesauce helped out me out

can someone give me a hint? i think I have the fail string correct and I’m using rockyou-10.txt but I cant get it :frowning:

HINTS:

  1. Pay attention to the Login path, I know in the previous labs it was /login.php, but not on this one.
  2. Pay attention to the login parameters, in the previous labs they were username & password, but not on this one. You can check it from the Developer Tools [Ctrl+I]
  3. Just like everyone said, Fail String is different on this one as well, it can be cheeked from Page Source [Ctrl+U]

Once you have figured out all three, it is just like the command that was used in the previous labs, but with those 3 modifications.

what wordlist on username?