Hello everyone,
I completed the Ignition machine of Starting Point but on the task 6, for avoiding manual brute force, I tried also to use Hydra for brute-forcing it but it does not work and I don’t know the reason.
I created a wordlist of 10 strings (called wordlist.txt) where I placed the correct password in the middle.
If I submit the command in the following way:
hydra -l admin -P wordlist.txt -u -f "ignition.htb" -s 80 -V http-form-post '/admin:form_key=L5doLYoTkK8BEEp5&login%5Busername%5D=^USER^&login%5Bpassword%5D=^PASS^:F=<span>Welcome, please sign in</span>'
in output I get “0 valid password found”. Why doesn’t it get the correct password?
I tried also to use other strings after :F=
as incorrect
or login-form
but I get the same output.
Note: form_key changes when it expires (you can check it by submitting manually some credentials and check if you get the message Invalid key
. Then refresh and by browser dev tools you can get the current form_key).
Thank you in advance!