When we enter a random key into the form at this page, we get “invalid key”. We can use this to formulate a hydra command. Choose big.txt wordlist, select http-post-form, the address 10.10.10.3, the location of the form “/kzMb5nVYJw/index.php” with our field “key” and the ^PASS^ string (the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^), and the third colon delimited argument that designates failure “invalid key”. -l is for our login name which is empty, -f is for exit when a login/pass pair is found, -V is for verbose.