I have been attached to it for a long time now, brute forcing the authentication and getting the flag.
I have already read the instructions / question several times.
hydra always hangs for a long time and tries combinations for hours.
What is not quite clear to me is whether you can or must also use information from the previous assesments. So it’s still about Bill Gates.
***EDIT: Immediately after posting it finally worked, I respawned the target again after realizing the command would complete stating that the target could not be found. and it worked using rockyou-10.txt for myself. ***
Hey there, I just made an account for here as I am experiencing some troubles with this module. I am on the login form attacks section, and you know following the examples…
I get an error stating that the password file doesn’t exist although I am using the exact same format in the example. I get this specifically using :
I am stuck on the second question, i.e. logging in into admin_login.php
I have reread the whole section and compiled a list of all usernames we had so far in this module (b.gates, m.gates, user, admin, thomas, abbas) and use rockyou-10.txt as a wordlist.
However, hydra does not find any results. I was adapting the Fail-String as well as the query parameters.
I assume a short wordlist should be sufficient, as this is just a learning module
Before you get too deep, I think you hit a little forum trap from reading previous posts. Read the hint for the second question.
If you have completed the first question then you already have a username.
So focus on the password list and definitely definitely focus on the fail string. I think that is another big hurdle for people trying this assessment.
DM me if you need further help. But I think that should get you rolling.
-onthesauce
Pay attention to the Login path, I know in the previous labs it was /login.php, but not on this one.
Pay attention to the login parameters, in the previous labs they were username & password, but not on this one. You can check it from the Developer Tools[Ctrl+I]
Just like everyone said, Fail String is different on this one as well, it can be cheeked from Page Source[Ctrl+U]
Once you have figured out all three, it is just like the command that was used in the previous labs, but with those 3 modifications.