LOGIN BRUTE FORCING - Skills Assessment - Website

I have been attached to it for a long time now, brute forcing the authentication and getting the flag.
I have already read the instructions / question several times.

hydra always hangs for a long time and tries combinations for hours.

What is not quite clear to me is whether you can or must also use information from the previous assesments. So it’s still about Bill Gates.

***EDIT: Immediately after posting it finally worked, I respawned the target again after realizing the command would complete stating that the target could not be found. and it worked using rockyou-10.txt for myself. ***

Hey there, I just made an account for here as I am experiencing some troubles with this module. I am on the login form attacks section, and you know following the examples…

  1. I get an error stating that the password file doesn’t exist although I am using the exact same format in the example. I get this specifically using :

-P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

However it completes like normal using:

-P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-05.txt

I tried to cat the rockyou.txt file and get prompted for admin password.

  1. Don’t have much else to go off from, did you ever get past this?

Me too I am stuck here. Did you get the solution, would you mind giving me a pointer?

Which part are you stuck on? I believe this Skill Assessment was a two part Assessment.

I am stuck on the second question, i.e. logging in into admin_login.php
I have reread the whole section and compiled a list of all usernames we had so far in this module (b.gates, m.gates, user, admin, thomas, abbas) and use rockyou-10.txt as a wordlist.
However, hydra does not find any results. I was adapting the Fail-String as well as the query parameters.

I assume a short wordlist should be sufficient, as this is just a learning module

Before you get too deep, I think you hit a little forum trap from reading previous posts. Read the hint for the second question.

If you have completed the first question then you already have a username.

So focus on the password list and definitely definitely focus on the fail string. I think that is another big hurdle for people trying this assessment.

DM me if you need further help. But I think that should get you rolling.

Hahah. I was looking too far. Thanks a lot!

Been there done that haha! No problem, again feel free to reach out.

1 Like

I’m stuck as well at the second question. I have tried different wordlists with no luck.
Can you help me out , please?

use the username from the previous question

Any hints on the fail string? I ended up with 50+ usable passwords, none of which worked.

  • disregard - onthesauce helped out me out
1 Like

can someone give me a hint? i think I have the fail string correct and I’m using rockyou-10.txt but I cant get it :frowning:


  1. Pay attention to the Login path, I know in the previous labs it was /login.php, but not on this one.
  2. Pay attention to the login parameters, in the previous labs they were username & password, but not on this one. You can check it from the Developer Tools [Ctrl+I]
  3. Just like everyone said, Fail String is different on this one as well, it can be cheeked from Page Source [Ctrl+U]

Once you have figured out all three, it is just like the command that was used in the previous labs, but with those 3 modifications.

1 Like

what wordlist on username?

I still trying to figure out the list. I just used rockyou.txt and every time i got different passwords

There is probably something wrong with your failstring or parameters. Feel free to DM me, but give those a double check. I would also recommend using a list of rockyou-50 or above, but not the full rockyou.txt list.

no i use admin_login.php but i dont really get what do you mean by ‘‘failstring’’. Also every time i use rockyou#.txt i get different passwords for some reason

I would go back and review some of the material again. When building the hydra command you should be using the http-post-form and in the quotes should be file-to-target:post-parameters:fail/success-string.

That gives hydra the file/form to target, the parameters to load data into, and the string to check for after sending the attack. If there is no failstring to check for, or if that fail string is wrong then it will mess with the output.

As I said before, feel free to DM me the line you are using and I will help guide you.

pay attention to the sections. after ‘‘F=’’ you have to put something that is NOT going to be there after you log in.

I spent 2 days with this, and I was just pissed,how this misleading it was.


Intro says:

"Our customer requested an additional black box penetration test for another host on its network. After our host and port scans, we discovered just one single TCP port open.THIS PART >>>>>>Since we’ve already found weak credentials on the other host, the new host may be vulnerable to the same vulnerability type. We should consider different wordlists as well during our engagement. <<<<<<<<

Oh, and let’s not forget about those previous usernames that people think they can use. Sorry, folks, but it’s not happening. No adm…, b.ga…, or m.ga… for you! It’s like trying to fit a square peg into a round hole. It’s just not gonna work.

Second, they give us this cheat sheet that’s about as useful as a chocolate teapot.

HTB version of Cheat Sheet According to it, we should use “username=” and “password=” in our command line. But wait, that’s not true! As it turns out, those are just going to give us false positive passwords. If we want to find the correct password in less than a minute (because who has time for anything else?), we need to use the Hydra examples instead: “user=” and “pass=”. BOOM! See, isn’t this fun?

HTB Cheat Sheet says:

hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"

######### Hydra says:
from the hydra -U http-post-form