Login Brute Forcing Skills Assessment

Hello again, stuck on the brute forcing module again, the question is: “Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?”

I know the username is User so I used this

hydra -l user -P /usr/share/wordlists/rockyou.txt -f 94.237.59.206 -s 48254 http-post-form “/admin_login.php:username=^USER^&password=^PASS^:F=<form name=‘login’”

and I got the results of User:123456
I’ve tried varying my priorly stated lines & got the same results yet I can’t login to the site to fetch the flag for those credentials. What am I missing? I’ve read and re-read the module

Hey! No worries. Make sure you inspect a test login with Burpsuite or Developer Tools. Your parameters are wrong. Also take another look at the page html because your fail string has a slight mistake.

Let me know if you have any troubles.

First off, thank you for your repeated help. You are a legend.
Secondly-- I still am having a lot of trouble. I’ve sifted through the “Determine Login Parameters” section multiple times and I came up with

hydra -l user -P /usr/share/wordlists/rockyou.txt -f 94.237.62.195 -s 54773 http-post-form “/admin_login.php:username=^USER^&password=^PASS^:F=<form name=‘log-in’”

which is slightly different but again yields the same results as last time. What confuses me about the module is if you’re always burping with the credentials “Admin:admin” wouldn’t the string always be “username=^USER^&password=^PASS^:F” and as far as the form name, the only option that makes sense to me is ‘admin_login’

I am so desperately lost & confused. This part is making no sense to me I have no idea what parameters to use if not those ones.

Hey dude, no worries.

So the burping piece is to see what the parameters are. Try this, launch burpsuite, turn intercept on, then try to login with test:test as credentials. When you catch the request in burpsuite. Look at the parameters, you should see user=test&.... try it out.

username=^USER^&password=^PASS^:F=<form name=‘log-in’”
Your fail sting looks perfect!!! Its now just the parameters.

Parameters are just what the admin_login.php file expects. And actually they are usually built into the HTML of the webform itself. It could be named anything, it could be id=test&pass=password. So that should answer your question that the form wouldn’t always be “username=^USER^&password=^PASS^.

Keep me posted if you have anymore issues understanding this. I will try to explain it further if needed. Or show screenshots of what I mean.

3 Likes

so I got burp to say “user=test&pass=test” on line 18 and I crafted a new command, which still seems to not work. I misunderstood, I suppose and thought it would look like this.

hydra -l user -P /usr/share/wordlists/rockyou.txt -f 94.237.62.195 -s 55240 http-post-form “/admin_login.php:user=^USER^&pass=^PASS^:F=<form name=‘log-in’”

so there HAVE been some changes made but something about the parameters isnt making sense. I don’t want the answer! Im getting closer but a little more information would be appreciated. This has had me stumped awhile. I appreciate your patience.

1 Like

NEVERMIND! I got it to work, you are a genius, thanks.

1 Like

Nooooo worries!!! Glad you got it. Sorry I wasn’t available to help you in the moment.

1 Like

it’s all good, i’m on a M-F schedule anyway :stuck_out_tongue: ! Unfortunately now on the next portion of the assessment, the IP address isn’t connecting to the website or pinging the server & I think i broke something on the infrastructure.

Hello, how could you do it?

I feel like I have all the parameters right but I still can’t.

hydra -l user -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-10.txt -f 94.237.62.49 -s 48599 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'"

I don’t know if it’s a dictionary error or something like that, I’ve tried with username dictionaries but it doesn’t work :frowning:

1 Like

I got the right answer but still server was not giving me the flag.
I tried 1 work around to get my flag.

intercept the request on burp → copy the request to file.
execute this command

ffuf -request admin_login.req -request-proto http -w /usr/share/wordlists/rockyou.txt -fs 422 -x http://localhost:8080
all the request will go through the burp and you can see the flag there too.
it might just work for other people too if server is not giving the flag even after getting the password from hydra.

1 Like

You are on the right path. Try a different rock you text Good luck :sunglasses: