Forum Discussion
sh5801
Bronze I
Bronze IHack Your First Web App: Ep.6 - Hydra
I am stuck on Question 7 which instructs you to use hydra to brute force a password. I was able to use it correctly on Ep. 5.
I have tried using the same cmd and changing to the login page but it returns 16 incorrect matches rather than one.
hydra -l test -P /usr/share/wordlists/custom/ozone-wordlist.txt ozone-energy.bitnet http-form-post"/login:username=^USER^&password=^PASS^&Login=Login:Invalid Password"
2 Replies
LewisMuttonBronze II
Almost there! Make sure that your failure string matches the response from the login form 😜
- CyberSharpe
Silver I
sh5801​
I agree with LewisMutton​ . You almost have it.
A quick scan using burp and entering incorrect creds allowed me to find the correct string for failed login.
This is the only change you need to make to your syntax.
Additionally, some vulnerable apps use weak or predictable passwords.Always worth a shot.
If this works consider it solved ;)
