@nns2009 said:
I am stuck at the first part.
- How many passwords am I supposed (and allowed) to bruteforce?
I wrote a simple Javascript script and tried all passwords in
http://downloads.skullsecurity.org/passwords/john.txt.bz2
and
http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2
HackTheBox rules state that “Any form of DoS (Denial of Service) is forbidden” so I am a bit hesitant to bruteforce the whole rockyou set.- People here write about using Hydra and Burp. Is there something special about using those programs or is it just a way not to write your own bruteforcing script?
Update: Password is found but the first questions remains for other challenges of the site: how much am I allowed to bruteforce?
Update 2: Solved but the questions remain
you don’t need bruteforce, try to understand how login work on this website