Stuck on the skills assessment for website brute force

Hi all, looking for some direction for this assessment.
This is the first part of the two-part assessment for website brute force in the basic toolset path.

i’ve changed the http-post-form as such:

"/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'"

i tried using the names.txt and rockyou-10.txt for the username and password wordlists respectively.
i have also tried the default login pair ftp-betterdefaultpasslist.txt as well.

With all the above i am still not able to brute force the authentication and obtain the flag. i am wondering if i am missing something here


You should already have the username from the first step of the skill assessment. And I would try a larger wordlist than rockyou-10.

Other than that, your parameters and fail string look perfect. I would probably wrap that line in a spoiler though.

thanks for the quick reply. i dont think i have gotten the username though. i have tried admin, b.gates, m.gates, all of which appear to be incorrect

I thought the first step of the Skill Assessment required a username and password to get you to the other login page?

Yes i am stuck on the first question, that is where i got stuck and could not obtain the username and password, as i tried different wordlists and the response was either 0 results or it took a very long time to generate results

Sorry if it all sounds confusing

Okay! Wow, yes very confusing, but we are beyond that now. So the first step of the skill assessment goes back to some of the first sections learned in the module. There shouldn’t be any http post form. From what I remember its a basic authentication and probably uses a GET request instead. I would do a quick review of the beginning of the module and give it another shot.

Do that and DM me if it still doesn’t click.

Thank you. Maybe i was overthinking on the question and jumped the gun. I will review it again once i get home. Will post an update here

hey @onthesauce thanks for guiding me. i managed to solve the first part of the assessment.

1 Like

Every time I run hydra it spits out a different valid password. I am pretty sure I’m using the correct syntax. Any thoughts?

I am missing the fail string but can’t find it in the page source view either!

Hey, make sure you specify what part of the website brute force you are on! I have seen people trying the POST request brute force on the basic auth part. DM me the line you are using and I will see if I can push you in the right direction.