Ignition (Tier 1)

Description

Tier -> 1
Difficult -> Very Easy
OS -> Linux
Tags -> Common Applications / Magento / Reconnaissance / Web Site Structure Discovery / Weak Credentials

nmap 10.129.246.174 -p- -Pn --min-rate 2500 -oN scan.txt

Then I did an exhaustive scan to learn more about the services running on the open ports

nmap 10.129.246.174 -p80 -sVC -oN serv_scan.txt

Answer: nginx 1.14.2

As I found the HTTP protocol running on port 80, I visited the deployed content on the browser. When I tried to reach the site using the IP address it redirected me to the ignition.htb domain whose content wasn't possible to display

To learn more about the HTTP protocol you can go here

To check what could be happening I used the curl command to get information from the response of the petition sent to the web. This could be because I didn't have the domain in our list of known hosts. So to solve that, I added it to the /etc/hosts and after that visited the site again and it worked properly

curl -v http://10.129.246.174
echo '10.129.246.174 ignition.htb' >> /etc/hosts

Answer: 302

Answer: ignition.htb

Answer: /etc/hosts

I explored the features of the page but didn't find anything relevant, so I tried fuzzing the URL using Gobuster to find some possible directories and files exposed on the web

gobuster dir -u http://ignition.htb -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -o fuzz.txt

I found some interesting routes, the most relevant being the /admin route, so I navigated there to see the content and found a login page for the Magento CMS

Answer: http://ignition.htb/admin

Answer:

As I didn't have any credentials I tried using some common credentials, and doing a little research about this topic, I found that by using the username admin and the password qwerty123 I gained access to the administrator dashboard. Finally looking at the deployed content, I found the flag at first sight

Answer: 797d6c988d9dc5865e010b9410f247e0

Last updated 4 months ago