This will be solution for Level 12 Practical Web Hacking CTF #2.

In this level unfortunately we have a very realistic example of how easy it is to bruteforce web applications, our objective is to try to bruteforce a login and password. The procedure is very simple we need to collect the information that would allow us to execute the requested as if it were made by the browser.


  1. Collect input names.
  2. find the sugested wordlist.
  3. setup hydra.

The world list suggested is a very known from john ripper, so we set our brute force application with the following.

	hydra http-form-post \
	Incorrect username or password combination" \
	-l admin -P password-2011.lst -t 10 -w 30 -o logins.txt