Hello again, stuck on the brute forcing module again, the question is: “Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?”
and I got the results of User:123456
I’ve tried varying my priorly stated lines & got the same results yet I can’t login to the site to fetch the flag for those credentials. What am I missing? I’ve read and re-read the module
Hey! No worries. Make sure you inspect a test login with Burpsuite or Developer Tools. Your parameters are wrong. Also take another look at the page html because your fail string has a slight mistake.
First off, thank you for your repeated help. You are a legend.
Secondly-- I still am having a lot of trouble. I’ve sifted through the “Determine Login Parameters” section multiple times and I came up with
which is slightly different but again yields the same results as last time. What confuses me about the module is if you’re always burping with the credentials “Admin:admin” wouldn’t the string always be “username=^USER^&password=^PASS^:F” and as far as the form name, the only option that makes sense to me is ‘admin_login’
I am so desperately lost & confused. This part is making no sense to me I have no idea what parameters to use if not those ones.
So the burping piece is to see what the parameters are. Try this, launch burpsuite, turn intercept on, then try to login with test:test as credentials. When you catch the request in burpsuite. Look at the parameters, you should see user=test&.... try it out.
username=^USER^&password=^PASS^:F=<form name=‘log-in’”
Your fail sting looks perfect!!! Its now just the parameters.
Parameters are just what the admin_login.php file expects. And actually they are usually built into the HTML of the webform itself. It could be named anything, it could be id=test&pass=password. So that should answer your question that the form wouldn’t always be “username=^USER^&password=^PASS^.
Keep me posted if you have anymore issues understanding this. I will try to explain it further if needed. Or show screenshots of what I mean.
so I got burp to say “user=test&pass=test” on line 18 and I crafted a new command, which still seems to not work. I misunderstood, I suppose and thought it would look like this.
so there HAVE been some changes made but something about the parameters isnt making sense. I don’t want the answer! Im getting closer but a little more information would be appreciated. This has had me stumped awhile. I appreciate your patience.
it’s all good, i’m on a M-F schedule anyway ! Unfortunately now on the next portion of the assessment, the IP address isn’t connecting to the website or pinging the server & I think i broke something on the infrastructure.
I got the right answer but still server was not giving me the flag.
I tried 1 work around to get my flag.
intercept the request on burp → copy the request to file.
execute this command
ffuf -request admin_login.req -request-proto http -w /usr/share/wordlists/rockyou.txt -fs 422 -x http://localhost:8080
all the request will go through the burp and you can see the flag there too.
it might just work for other people too if server is not giving the flag even after getting the password from hydra.
also stuck on this question for a few hours now… and losing patience
“Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?”
good luck to others being stuck here…
Edit: 5 mins after posted this msg managed to get it (also one of the reasons I posted in the first place to get me going…)
Couldn’t manage without reading all the helpful posts multiple times and trying out everything!
Good luck and thanks for the help!
please how did you pass this assessment? have use burp payloads have try the http-post-form
here is the command i used
hydra -l admin -P /usr/share/wordlists/rockyou.txt -f (targetip). -s port http-post-form “/admin_login.php:user=^USER^&pass=^PASS^:F<form name=‘log-in’” i don’t know why the password i got not working i also use burp same
im stuck did you ended up using the path /usr/share/wordlists/ or
/opt/useful/SecLists/Passwords/Leaked-Databases/ or opt/useful/SecLists/Passwords/Default-Credentials/ I have tried all the text files :(.
I had come across too many passwords and i tried them all but nada. Maybe the username is not admin?
I also tried using the parameter /admin_login.php but it does not work.
found it after 6hrs, it was a simple syntax error on the form name part. I also connected to htb-VPN in which idk if it helped or not. Check the cheatsheet. It helped a lot.
Not sure where you’re all getting the admin_login.php page or the fail string log-in because those are nowhere to be found. Even the exercise literally says to target the login.php page and the <form name='login' fail parameter which is in the burp and even browser response, and not log-in. Same for the parameters, they are username and password and not user and pass. I’m hella confused here
halloo to everyone i would like some suggestion , hydra -l user -P /usr/share/SecLists/Passwords/Leaked-Databases/rockyou-75.txt -f 94.237.48.203 -s 54084 http-post-form “/admin_login.php:username=^USER^&password=^PASS^:F=<form name=‘log-in’”
this was my payload but it takes hours is this normal?
! Unfortunately now on the next portion of the assessment, the IP address isn’t connecting to the website or pinging the server & I think i broke something on the infrastructure.
