LOGIN BRUTE FORCING - Skills Assessment - Website

zatroa · December 25, 2021, 11:20am

I have been attached to it for a long time now, brute forcing the authentication and getting the flag.
I have already read the instructions / question several times.

hydra always hangs for a long time and tries combinations for hours.

What is not quite clear to me is whether you can or must also use information from the previous assesments. So it’s still about Bill Gates.

dontdothat · February 14, 2022, 4:10am

***EDIT: Immediately after posting it finally worked, I respawned the target again after realizing the command would complete stating that the target could not be found. and it worked using rockyou-10.txt for myself. ***

Hey there, I just made an account for here as I am experiencing some troubles with this module. I am on the login form attacks section, and you know following the examples…

I get an error stating that the password file doesn’t exist although I am using the exact same format in the example. I get this specifically using :

-P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

However it completes like normal using:

-P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-05.txt

I tried to cat the rockyou.txt file and get prompted for admin password.

Don’t have much else to go off from, did you ever get past this?

discovolante · March 9, 2022, 1:43pm

Me too I am stuck here. Did you get the solution, would you mind giving me a pointer?

onthesauce · March 9, 2022, 2:12pm

Which part are you stuck on? I believe this Skill Assessment was a two part Assessment.

discovolante · March 9, 2022, 2:23pm

I am stuck on the second question, i.e. logging in into admin_login.php
I have reread the whole section and compiled a list of all usernames we had so far in this module (b.gates, m.gates, user, admin, thomas, abbas) and use rockyou-10.txt as a wordlist.
However, hydra does not find any results. I was adapting the Fail-String as well as the query parameters.

I assume a short wordlist should be sufficient, as this is just a learning module

onthesauce · March 9, 2022, 2:32pm

Before you get too deep, I think you hit a little forum trap from reading previous posts. Read the hint for the second question.

If you have completed the first question then you already have a username.

So focus on the password list and definitely definitely focus on the fail string. I think that is another big hurdle for people trying this assessment.

DM me if you need further help. But I think that should get you rolling.
-onthesauce

discovolante · March 9, 2022, 2:37pm

Hahah. I was looking too far. Thanks a lot!

onthesauce · March 9, 2022, 2:39pm

Been there done that haha! No problem, again feel free to reach out.
-onthesauce

Hokovi · March 29, 2022, 2:24pm

Hi,
I’m stuck as well at the second question. I have tried different wordlists with no luck.
Can you help me out , please?

OlivierVDN97 · October 18, 2022, 5:21pm

use the username from the previous question

strugglebus · October 18, 2022, 6:08pm

Any hints on the fail string? I ended up with 50+ usable passwords, none of which worked.

disregard - onthesauce helped out me out

amanda.d.howard97 · December 16, 2022, 11:03pm

can someone give me a hint? i think I have the fail string correct and I’m using rockyou-10.txt but I cant get it

garagol · January 7, 2023, 6:11am

HINTS:

Pay attention to the Login path, I know in the previous labs it was /login.php, but not on this one.
Pay attention to the login parameters, in the previous labs they were username & password, but not on this one. You can check it from the Developer Tools [Ctrl+I]
Just like everyone said, Fail String is different on this one as well, it can be cheeked from Page Source [Ctrl+U]

Once you have figured out all three, it is just like the command that was used in the previous labs, but with those 3 modifications.

pokolhaboru · January 16, 2023, 7:17pm

what wordlist on username?