Hydra says different passwords with are correct each run, but only one works
I am doing CTF 'Skynet' from THM and came across this problem. Enumerating SMB, I gathered credentials 'milesdyson' and a list of passwords 'log1.txt'. I figured that I could try to brute force squirrelMail login form using Hydra. This is the POST request by Burpsuite.
According to this video, I could use the following syntax: <url>:<form parameters>:<condition string> [:<optional> [:<optional>]]
to perform a brute force attempt through Hydra. It also explained that the last part(condition string) regards a trigger to indicate success or failure in my request.
I saw that the server response to my request is "Unknown user or password incorrect."
Could I add the word "incorrect" as the condition, or is the whole sentence "Unknown user or password incorrect." better?
This is my attempt:
hydra -l milesdyson -P /root/log1.txt http-post-form://10.10.6.90/squirrelmail/src/login.php:"login_username=^USER^&secretkey=^PASS^":"incorrect" -F -I -V
What I noticed is that by executing the same command, I get different solutions each time (the correct solution is cyborg007haloterminator
which is seen sometimes, but not always). Why is hydra concluding that these other passwords with terminator
in them are correct? If I try any of them, I get the "Unknown user or password incorrect." message.