Table of Contents
Ignition is a misconfigured web server, that will demonstrate to us some basic networking and DNS probes.
Enumeration
Click on Spawn Machine and you can see the IP of the target machine:
Starting off with Nmap scan to trigger default script scanning and version detection, we will use the below command:
This yields us a singular result, port 80 open and running Nginx 1.14.2. So far, this seems straightforward. However, from the output right below that, we notice that http-title returns Did not follow redirect to http://ignition.htb.
Copy the URL, and try to attempt to access the webpage through a browser window. Upon attempting to access the webpage through a browser window, we are presented with the following error. Check if there is a typo in the ignition.htb references the same URL we found during our Nmap scan but without further details as to what might cause this error to pop up when simply attempting to access the website. Below, a more detailed error code is displayed: DNS_PROBE_FINISHED_NXDOMAIN.
After a quick Google search of the error, we learn that there might be two underlying reasons for this error appearing.
- We've mistyped the ignition.htb address in our URL search bar and the DNS servers can't find the associated IP address for the mistyped name.
- We never entered any hostname such as ignition.htb into the search bar, but the website expects us to.
I think this problem can be fixed by modifying the Local DNS file named hosts located in the /etc directory. If you are also a Windows user, then do similar with me:
Go to C:\Windows\System32\drivers\etc Path.
From here copy the hosts' file to the desktop to modify it. Because you can’t modify this at this place. Now open this file and add the IP address with its' associated hostname in the hosts' table, which would, in turn, allow your web client to visit the website that was previously reporting an error.
Once you save the file, replace this file with the /etc directory.
Once this configuration is complete, we can proceed to reload the target's webpage and verify if it loads successfully. Since the requested hostname now has an association in your "hosts" file, the website can load without issue.
From here, we can start working towards gaining a foothold.
Foothold
After exploring the landing page for a short period of time, we can deduce that nothing helpful can be leveraged here.
Using gobuster
The only option of exploring the website further is using gobuster .
From the output of our gobuster script, we find our target. The /admin page returns a 200 response code, which signals its' availability. We can navigate to it by appending it to the end of the URL.
A login screen is presented to us, with a logo for Magento boasting in the middle of the page. A username and password are being requested.
Let’s try to attempt some default credentials for the Magento service to get login access.
Magento Service Default credential vulnerability
Let’s try to log in with some default credentials:
After manually attempting, we land on a successful login. The correct combination is admin: qwerty123 . Now, We are presented with the Magento administrative panel, where the flag can be found under the Advanced Reporting section of the Dashboard.
Task Answers
TASK 1: Which service version is found to be running on port 80?
Ans. nginx 1.14.2
TASK 2: What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?
Ans. 302
TASK 3: What is the virtual hostname the webpage expects to be accessed by?
TASK 4: What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?
Ans. /etc/hostsTASK 5: What is the full URL to the Magento login page?
Ans. http://ignition.htb/admin
TASK 6: What password provides access as admin to Magento?