Need help with Hydra

I followed step 8 of this write up:

I got my own csrf and session id with burp. The password is potter so I created a 4 word text file with potter in it.

hydra -l harvey -P potter.txt -t 60 monitor.bart.htb http-form-post "/index.php:csrf=20b83b37e6481284a34622b93c991dc5058af3017557c0b986d3becc192fa923&user_name=^USER^&user_password=^PASS^&action=login:F=incorrect:H=Cookie\: PHPSESSID=719kkhe9uudb01ccch7uim8bme" 
[STATUS] 4.00 tries/min, 4 tries in 00:01h, 1 to do in 00:01h, 4 active
[STATUS] 2.00 tries/min, 4 tries in 00:02h, 1 to do in 00:01h, 4 active
[STATUS] 1.33 tries/min, 4 tries in 00:03h, 1 to do in 00:01h, 4 active

I also tried bart.htb/monitor instead of monitor.bart.htb (they have different csrfs and session ids):

hydra -l harvey -P potter.txt -t 60 bart.htb http-form-post "/monitor:csrf=de835c15a6afb89d33ab402ddd7fd4593e358a216c9372184bf31bb6be7d02d5&user_name=^USER^&user_password=^PASS^&action=login:F=incorrect:H=Cookie\: PHPSESSID=lko2635j50335h6ut1ii7oou44"

Any thoughts as to why this isn’t working?

I used hydra for a second login page on Bart. This page didn’t have csrf tokens or cookies so I just left it out of hydra and it worked. I tried leaving it out on the first login page but it gave me false positives. This makes me think it’s not working because of the csrf and/or cookie.

IppSec doesn’t attempt to brute force it since there’s a csrf token set, stating that it’s a pain to code. If that is true, then how was the previous link and this link able to get it working with a relatively simple hydra one liner?

hydra -L users.txt -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-25.txt "http-post-form://bart.htb/monitor/:csrf=43aa9be1c2751cd82f916413a9d6696b501a075b0bd0a818c3a126e5aa6f809f&user_name=^USER^&user_password=^PASS^&action=login:incorrect:H=Cookie\:PHPSESSID=utstuc3mhm4glhnre75qao4t59"

I tried the exact same thing with my own csrf token and cookie but it just hangs, even with a wordlist of only 4.

Hey dude,
I came across the same situation. Trying to helping my self (question to my self - “What would ippsec do?”) I simply capture the packets using wireshark to see what the hell is going on. I found out that if you set the Cookie parameter no request were send by hydra.

Little bit of seaching and I finally found this issue in hydra: SOLUTION: How to solve DVWA /vulnerabilities/brute/ · Issue #612 · vanhauser-thc/thc-hydra · GitHub

Long story short, there is a bug in hydra 9.1.1
Versions 9.0 and 9.2+ are fine. Unfortunately Kali repro still distribute version 9.1.1 of hydra :-1: