Oh my god… Am i blind?? It was just over there and didn’t see it. Thanks. Just gone through the data really carefully. > @it4chi said:
@d3m0nr007 said:
I found the password but i am stuck in the second part. I am intercepting the requests and i can see the responses. i found the tag. Don’t know what to do next. Hints please…
I struggled with that as well. Just carefully go over the Spoiler Removed - Arrexel you should get it.
I am a complete noob what am I missing it looks like hydra gave me the password and I type it in but its still invalid Im reading everything on every Tab but its all like reading Hieroglyphs
Can someone give a hint please. I’m using Hydra with http-post-form without ^USER^, am I on right way? And some passwords with this params response without “Invalid password!” but there still doesnt works. And I’ll already doing interception with burp, but can’t figure out something unusual, what I need to mentioned?
People here write about using Hydra and Burp. Is there something special about using those programs or is it just a way not to write your own bruteforcing script?
Update: Password is found but the first questions remains for other challenges of the site: how much am I allowed to bruteforce?
People here write about using Hydra and Burp. Is there something special about using those programs or is it just a way not to write your own bruteforcing script?
Update: Password is found but the first questions remains for other challenges of the site: how much am I allowed to bruteforce?
Update 2: Solved but the questions remain
you don’t need bruteforce, try to understand how login work on this website
@justromeo said:
you don’t need bruteforce, try to understand how login work on this website
Do you want to say that this challenge allows multiple solutions?
I would assume that challenges not designed to be bruteforced would have strong enough password
@justromeo said:
you don’t need bruteforce, try to understand how login work on this website
Do you want to say that this challenge allows multiple solutions?
I would assume that challenges not designed to be bruteforced would have strong enough password
This challenge is designed to be brute forced. I’m not sure there’s a hard and fast rule on DoS (for challenges), but there are definitely some challenges where throwing rockyou at the running service is the correct thing.