Hello again, stuck on the brute forcing module again, the question is: “Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?”
and I got the results of User:123456
I’ve tried varying my priorly stated lines & got the same results yet I can’t login to the site to fetch the flag for those credentials. What am I missing? I’ve read and re-read the module
Hey! No worries. Make sure you inspect a test login with Burpsuite or Developer Tools. Your parameters are wrong. Also take another look at the page html because your fail string has a slight mistake.
First off, thank you for your repeated help. You are a legend.
Secondly-- I still am having a lot of trouble. I’ve sifted through the “Determine Login Parameters” section multiple times and I came up with
which is slightly different but again yields the same results as last time. What confuses me about the module is if you’re always burping with the credentials “Admin:admin” wouldn’t the string always be “username=^USER^&password=^PASS^:F” and as far as the form name, the only option that makes sense to me is ‘admin_login’
I am so desperately lost & confused. This part is making no sense to me I have no idea what parameters to use if not those ones.
So the burping piece is to see what the parameters are. Try this, launch burpsuite, turn intercept on, then try to login with test:test as credentials. When you catch the request in burpsuite. Look at the parameters, you should see user=test&.... try it out.
username=^USER^&password=^PASS^:F=<form name=‘log-in’”
Your fail sting looks perfect!!! Its now just the parameters.
Parameters are just what the admin_login.php file expects. And actually they are usually built into the HTML of the webform itself. It could be named anything, it could be id=test&pass=password. So that should answer your question that the form wouldn’t always be “username=^USER^&password=^PASS^.
Keep me posted if you have anymore issues understanding this. I will try to explain it further if needed. Or show screenshots of what I mean.
so I got burp to say “user=test&pass=test” on line 18 and I crafted a new command, which still seems to not work. I misunderstood, I suppose and thought it would look like this.
so there HAVE been some changes made but something about the parameters isnt making sense. I don’t want the answer! Im getting closer but a little more information would be appreciated. This has had me stumped awhile. I appreciate your patience.
it’s all good, i’m on a M-F schedule anyway ! Unfortunately now on the next portion of the assessment, the IP address isn’t connecting to the website or pinging the server & I think i broke something on the infrastructure.
I got the right answer but still server was not giving me the flag.
I tried 1 work around to get my flag.
intercept the request on burp → copy the request to file.
execute this command
ffuf -request admin_login.req -request-proto http -w /usr/share/wordlists/rockyou.txt -fs 422 -x http://localhost:8080
all the request will go through the burp and you can see the flag there too.
it might just work for other people too if server is not giving the flag even after getting the password from hydra.
also stuck on this question for a few hours now… and losing patience
“Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?”
good luck to others being stuck here…
Edit: 5 mins after posted this msg managed to get it (also one of the reasons I posted in the first place to get me going…)
Couldn’t manage without reading all the helpful posts multiple times and trying out everything!
Good luck and thanks for the help!
! Unfortunately now on the next portion of the assessment, the IP address isn’t connecting to the website or pinging the server & I think i broke something on the infrastructure.
