#9 Ignition - Starting Point - Hack The Box || Complete Walkthrough

Ignition is a misconfigured web server, that will demonstrate to us some basic networking and DNS probes.


Enumeration

Click on Spawn Machine and you can see the IP of the target machine:

Starting off with Nmap scan to trigger default script scanning and version detection, we will use the below command:

┌──(mrdev㉿mrdev)-[~] 
└─$ sudo nmap -sC -sV 10.129.56.255
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-24 23:25 IST 
Nmap scan report for 10.129.56.255
Host is up (0.28s latency).
Not shown: 999 closed tcp ports (reset)  
PORT   STATE SERVICE VERSION 
80/tcp open  http    nginx 1.14.2 
|_http-title: Did not follow redirect to http://ignition.htb/
|_http-server-header: nginx/1.14.2  
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.31 seconds    

This yields us a singular result, port 80 open and running Nginx 1.14.2. So far, this seems straightforward. However, from the output right below that, we notice that http-title returns Did not follow redirect to http://ignition.htb.

PORT   STATE SERVICE VERSION 
80/tcp open  http    nginx 1.14.2 
|_ http-title: Did not follow redirect to http://ignition.htb/
|_http-server-header: nginx/1.14.2 

Copy the URL, and try to attempt to access the webpage through a browser window. Upon attempting to access the webpage through a browser window, we are presented with the following error. Check if there is a typo in the ignition.htb references the same URL we found during our Nmap scan but without further details as to what might cause this error to pop up when simply attempting to access the website. Below, a more detailed error code is displayed: DNS_PROBE_FINISHED_NXDOMAIN.

After a quick Google search of the error, we learn that there might be two underlying reasons for this error appearing. 

  • We've mistyped the ignition.htb address in our URL search bar and the DNS servers can't find the associated IP address for the mistyped name. 
  • We never entered any hostname such as ignition.htb into the search bar, but the website expects us to.

I think this problem can be fixed by modifying the Local DNS file named hosts located in the /etc directory. If you are also a Windows user, then do similar with me:

Go to C:\Windows\System32\drivers\etc Path.

From here copy the hosts' file to the desktop to modify it. Because you can’t modify this at this place. Now open this file and add the IP address with its' associated hostname in the hosts' table, which would, in turn, allow your web client to visit the website that was previously reporting an error.

Once you save the file, replace this file with the /etc directory.

Once this configuration is complete, we can proceed to reload the target's webpage and verify if it loads successfully. Since the requested hostname now has an association in your "hosts" file, the website can load without issue. 

From here, we can start working towards gaining a foothold.


Foothold

After exploring the landing page for a short period of time, we can deduce that nothing helpful can be leveraged here. 


 Using gobuster

The only option of exploring the website further is using gobuster .

┌──(mrdev㉿mrdev)-[~]
└─$ gobuster dir -u http://ignition.htb/ -w dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
=============================================================== 
[+] Url:                     http://ignition.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/12/24 23:47:57 Starting gobuster in directory enumeration mode
=============================================================== 
/contact              (Status: 200) [Size: 28673]
/home                 (Status: 200) [Size: 25802]
/media                (Status: 301) [Size: 185] [--> http://ignition.htb/media/]
/0                    (Status: 200) [Size: 25803]
/catalog              (Status: 302) [Size: 0] [--> http://ignition.htb/]
/static               (Status: 301) [Size: 185] [--> http://ignition.htb/static/]
/admin                (Status: 200) [Size: 7092]
/Home                 (Status: 301) [Size: 0] [--> http://ignition.htb/home]
/cms                  (Status: 200) [Size: 25817]
Progress: 1046 / 87665 (1.19%)
[ERROR] 2021/12/24 23:51:28 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
Progress: 1069 / 87665 (1.22%)
^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/12/24 23:51:32 Finished
===============================================================

From the output of our gobuster script, we find our target. The /admin page returns a 200 response code, which signals its' availability. We can navigate to it by appending it to the end of the URL.

A login screen is presented to us, with a logo for Magento boasting in the middle of the page. A username and password are being requested. 

Let’s try to attempt some default credentials for the Magento service to get login access.


Magento Service Default credential vulnerability

Let’s try to log in with some default credentials:

admin:root123
admin:password1
admin:administrator1
admin:changeme1
admin:password123
admin:qwerty123

After manually attempting, we land on a successful login. The correct combination is admin: qwerty123 . Now, We are presented with the Magento administrative panel, where the flag can be found under the Advanced Reporting section of the Dashboard.


Now copy the flag and paste it to Hack the box. Congratulations!!!!

Task Answers


TASK 1: Which service version is found to be running on port 80?

Ans. nginx 1.14.2


TASK 2: What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?

Ans. 302


TASK 3: What is the virtual hostname the webpage expects to be accessed by?

Ans. ignition.htb

TASK 4: What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?

Ans. /etc/hosts

TASK 5: What is the full URL to the Magento login page?

Ans. http://ignition.htb/admin


TASK 6: What password provides access as admin to Magento?

Ans. qwerty123

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!