Hack The Box - Ignition

In this post, we will solve the Ignition CTF challenge in HTB; feel free to hop over to hackthebox.com and try to solve it yourself as you follow along.

Task 1

Which service version is found to be running on port 80?

I started by running an Nmap scan to list all the open ports and live hosts on the target IP with the following command

"nmap -sV -sC "machine IP" --vv"

and found this running service on port 80.

Answer: nginx 1.14.2

TASK 2

What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?

I used the "curl -v http://machine IP" command and found the status code, 302 means that the resource we requested has been temporarily moved,

And also, notice the host.

Instead of the hostname, we get an IP address.

Answer: 302

TASK 3

What is the virtual host name the webpage expects to be accessed by?

By reading through the curl data, I found the answer.

This might fool you into thinking that you could navigate to ignition.htb and the website will be presented, but it still doesn't work, suggesting there might be a problem with the DNS.

Answer: ignition.htb

TASK 4

What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?

I used google for this one and found out about the hosts file, which is a plain text file that all operating systems use to translate hostnames into IP addresses.

I will now edit the local hosts file to get access.

Editing the hosts file is very simple as I already know its location, so I simply needed to open it with a text editor and add the IP and DNS name.

Then I navigated to http://ignition.htb, and it works like a charm.

Answer: /etc/hosts

TASK 5

What is the full URL to the Magento login page?

Even though the answer was kind of obvious, I still wanted to use gobuster to solve this, so I used the command

"gobuster dir --url "ignition.htb" --wordlist /usr/share/wordlists/dirlist.txt"

commanding gobuster to go over the text list, and as you see, we get a 200 status meaning it's successful.

Answer: http://ignition.htb/admin

TASK 6

What password provides access as admin to Magento?

Unfortunately, the site has a security protection system to prevent brute force, meaning we will have to take an educated guess on this one.

I first tried "Admin" for both the username and password, which was unsuccessful, so I decided to use my good old friend google to search for the most common passwords, leading me to this list.

After trying them out one by one, I successfully signed in with the 6th password on the list.

Answer: qwerty123

FLAG

The flag is presented in the dashboard panel.

Answer: 797d6c988d9dc5865e010b9410f247e0

Conclusion

Overall this wasn't the most complicated room, but it was a bit tricky; you do need to think outside the box for a little bit, and after all, this is what penetration testing is all about, so I'd say it's an excellent practice.

I hope you all enjoyed my walkthrough, and if you did, sharing this post will help me a lot! and if you feel extra generous, you might want to get me a cup of coffee.