Hydra is a tool for brute-forcing web-page logins, but you probably already knew that, arriving at this post.
I was trying to find the login for a URL that had /index.php?page=sign_in.php at the end. Burp/PHP code revealed is passed “username” and “login”, fairly standard. But the triple, colon-separated string you can optionally give Hydra as a last parameter, is not very well documented.
In the end, this turned out to work:
# hydra -I -L usernames.txt -P rockyou.txt -S -e nsr bb699ce28112f9a55a0c4fbcc6b2ed8e.ctf.hacker101.com https-post-form "/index.php?page=sign_in.php:username=^USER^&password=^PASS^:wrong"
“wrong” being a return text we were looking for to identify a failed login.
So, /index.php?page=sign_in.php as the first string, and the second string is not prefixced &, that is only used to separate the following parameters.