HTB Labs — Tier 1— “Ignition” Machine Walkthrough | By CyberAlp0
Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 1, named as “Ignition”. Ignition is one of the VIP labs in HackTheBox — Tier 1 — Starting Point Phase. It focuses on many aspects and strengthening many skills like the magento, reconnaissance, common applications, and web site structure discovery.
The lab focuses on strengthening your skills in web discovery, to brute force directories and some other basic skills. Also, it highlights the importance of improper configuration of admin password settings.
let’s not waste more time in the introduction and begin hacking!
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you must be on the same network. You can read my Blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Start Solving the Tasks.
Task 1: Which service version is running on port 80?
Answer: nginx 1.14.2.
Walkthrough:
As usual, we will start with gathering information about the target, through performing network scanning using one of the best network mapping tools like Nmap or RustScan.
I will be using Nmap, write the following command in the terminal:
nmap -sV -sC -A 10.129.1.27
As shown in the screenshot, you will notice that one port opened which is 80, and runs a service called nginx, of version 1.14.2.
Note that: NGINX (pronounced “engine-x”) is a popular open-source web server software that is widely used for web application and content delivery tasks.
Here are some of its features and usage:
1- Web server: NGINX’s primary function is to serve web content [static, dynamic].
2- Reverse Proxy: It forwards requests from clients to one or more backend servers, then it returns these requests to the clients once more.
3- Load Balancer: NGINX is used also as a load balancer; it distributes the traffic across multiple backend servers to improve performance and availability.
4- HTTP/HTTPS server: NGINX supports HTTP & HTTPS protocols allowing to serve both secured and unsecured web content.
5- Flexibility & High Performance: NGINX is configurable and can handle large amounts of concurrent traffic with low overhead.
6- Cross-Platform: NGINX is available for a variety of operating systems like Linux, macOS, and Windows in an open-source format, which means that the source code is freely available to be modified.
Task 2: What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?
Answer: 302 [However, the result is supposed to be 200 as shown in the explanation section].
Walkthrough:
To be able to visit the machine through the web, you may locally resolve the IP address of the machine in the local DNS which exists under the directory /etc/hosts.
Type the following command to edit the “hosts” file:
sudo nano /etc/hosts
Now, if you type in the URI [http://ignition.htb], you will be redirected to the target’s homepage. However, we need to know the HTTP status code. we have 3 different ways of intercepting the traffic and knowing the status code.
First Method: Using curl command.
Second Method: Inspecting the webpage.
Third Method: Using Burpsuite
I will use the curl command. Thus, Type the following command in the terminal to see the result.
curl -v http://ignition.htbThe result will be shown as in the following screenshot
You may use burp suite, to know how to configure the Burpsuite properly. Refer to this Blog.
Task 3: What is the virtual host name the webpage expects to be accessed by?
Answer: ignition.htb
Walkthrough:
As explained in the past task, we will locally resolve the IP address of the Ignition Machine of HTB to the ignition.htb. This will be done by editing the hosts file under the /etc path.
Task 4: What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?
Answer: /etc/hosts
Walkthrough:
This file is used for mapping hostnames to IP addresses. You can view or edit this file with a text editor, but you usually need superuser privileges to make changes.
Task 5: Use a tool to brute force directories on the webserver. What is the full URL to the Magento login page?
Answer: http://ignition.htb/admin
Walkthrough:
To find the full URL to the Magento login page using a directory brute-forcing tool, you can use a tool like Gobuster. This tool helps uncover hidden directories on a web server. Run the following command for brute forcing the directories
http://{target}/adminReplace {target} with the URL of the machine which is “ignition.htb”, as we have already resolved the URL with the respective IP address of the HTB machine. This URL typically leads to the Magento admin login page, which is a common target for brute-force attacks.
Task 5: Look up the password requirements for Magento and also try searching for the most common passwords of 2023. Which password provides access to the admin account?
Answer: qwerty123
Walkthrough:
We will use the brute force tool which called gobuster for finding the password of the admin user for the website. Write the following command in the terminal:
gobuster dir -u http://ignition.htb -w /usr/share/wordlists/dirb/common.txtHere is a breakdown for the command:
- gobuster: This is the command to run the Gobuster tool, which is used for brute-forcing directories and files on web servers.
- dir: This flag tells Gobuster that you want to perform a directory enumeration. It specifies that you're looking for directories and files.
- -u flag: This flag specifies the target URL you want to scan which is http://ignition.htb.
- -w flag: it is used to specify the wordlist that Gobuster should use for brute-forcing. which is /usr/share/wordlists/dirb/common.txt.
Note that, you might be facing the following error.
The error indicates that “The server returns a status code that matches the provided options for non-existing URLs → 200. To continue please exclude the status code or the length.
To solve this issue, you may add the following flag “-b”.
gobuster dir -u http://ignition.htb -w /usr/share/wordlists/dirb/common.txt -b 200- The
-bflag (short for "status-codes-blacklist") specifies a status code to be excluded from the results. - In this case, it is set to
200, which means that Gobuster will not display any results that return a 200 OK status code. This is useful because a 200 response typically indicates that the path exists and is accessible, which might not be useful information in a brute-forcing context.
The directory brute forcing will take some time. However, if the brute forcing didn't go through using the common.txt file, you may use other wordlists that exists in the /usr/share/wordlists.
The password is one of the most popular passwords used in 2023 which is qwerty123.
Task 6: Submit the root flag
Answer: 797d6c988d9dc5865e010b9410f247e0
Walkthrough:
Once you type the username which is admin and the password is qwerty123, you will find the root flag as in the below screenshot:
Hope you enjoyed reading my blog about solving Ignition machine from HTB — Tier 1 — Starting Point Phase.
See You in another write-up!
