Hack the Box — Preignition

James Pearson
2 min readFeb 10, 2022


HTB Tags: #Linux #PHP #DefaultCredentials.

This is the fifth in the Starting Point series, and the second of the non-free VIP boxes with a focus on directory busting a Linux target. As normal, let’s start by enumerating with the standard commands, ping and nmap.


ping $IP -c 4


nmap $IP

With one port showing active, port 80 (http), we can check out the website and enumerate the directories with gobuster.


The home page indicates a success install of the nginx web server.

From Google: NGINX is open source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. It started out as a web server designed for maximum performance and stability.

So let’s check out the folder structure.


gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt

Using the dirb tool, common.txt file for speed:


We fiind an /admin.php file. This takes us to a login field.

default credentials

Testing initially with a set of default credentials we find that we can gain access with the classic admin:admin which gives us the challenge flag.


A nice simple introduction into directory busting and enumeration. There are other binaries available (dirb, dirbuster, ZAP and Burp Suite etc.) and given the chance, this is the box to test them and get familiar with these tools.



James Pearson

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.