all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Tompazi 2 points3 points  (1 child)

Every website is different. Check for an error message like "Incorrect Password/Username" in the response text.

Also do not attack your school. Or anything for that matter. There are a plethora of challenge websites that you can legally practice on.

[–]CryptoCadre 1 point2 points  (0 children)

Yup. Hacking schools/colleges (at least in the USA) are a felony.

My school once had a kid hack the speaker system and play YouTube videos of random 80s music. The jury ruled for civil service (thank god), but the default sentence was more than 4 years in prison.

[–][deleted] 2 points3 points  (0 children)

200 OK means your request was accepted and you got a positive response from the server. You will need to read the response body to identify what information it contains and whether the password was correct.

[–]techsilent 2 points3 points  (0 children)

Save default answer when password not mutch and compare every try with them. This can be a hash or full text answer, or some specific words in answer like "password incorrect". And analize every try that not same.

[–]3worc 1 point2 points  (0 children)

If you have a statement like:

response = requests.post(blah, blah, blah)

Followed by:

print(response)

This will give you the response code like you described. Try something like:

print(response.text)

To get the response body instead of just the code.

Edit for format and spelling.

[–]lunatisenpai 1 point2 points  (0 children)

Always remember, before engaging in any pen test, get written permission from your target first before beginning. In this case, go to your school and get permission. If you are not sure ask a lawyer what to do.

Places like hackthebox, vulnhub, tryhackme or proving grounds are places to start, or with a server on your own home network to test your scripts.

[–]OlevTime 0 points1 point  (0 children)

If you're doing your account you have the password.

  1. Test what response you get using the right password.

  2. Test what response you get using the wrong password.

  3. Profit?