Hack the Box — Preignition

HTB Tags: #Linux #PHP #DefaultCredentials.

This is the fifth in the Starting Point series, and the second of the non-free VIP boxes with a focus on directory busting a Linux target. As normal, let’s start by enumerating with the standard commands, ping and nmap.

ping

ping $IP -c 4

nmap

nmap $IP

With one port showing active, port 80 (http), we can check out the website and enumerate the directories with gobuster.

website

The home page indicates a success install of the nginx web server.

From Google: NGINX is open source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. It started out as a web server designed for maximum performance and stability.

So let’s check out the folder structure.

gobuster

gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt

Using the dirb tool, common.txt file for speed:

foothold

We fiind an /admin.php file. This takes us to a login field.

default credentials

Testing initially with a set of default credentials we find that we can gain access with the classic admin:admin which gives us the challenge flag.

summary

A nice simple introduction into directory busting and enumeration. There are other binaries available (dirb, dirbuster, ZAP and Burp Suite etc.) and given the chance, this is the box to test them and get familiar with these tools.

--

--

--

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Starting up with ASP.NET Core and Docker

How to Send Airflow Logs to Elasticsearch using Filebeat and Logstash

INTRODUCTION

Lessons in Microservices Journey

Activating a KVM/QEMU Windows 10/11 Guest with a OEM Device License

How to Generate ERDs from a Snowflake Model

Platform Performance Monitoring in OpenShift 4

DAW + Audio Engine Dev Update (#7.5) — Dealing with Unproductivity

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James Pearson

James Pearson

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.

More from Medium

Robotic arc welding with PowerMill Robot

Diplomacy Using Cyberweapons

HackTheBox — Meow

How To Protect Your Secure String Data At All Cost!