The aim of this walkthrough is to provide help with the Ignition machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 1 challenges.
SETUP
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
We could use the unset command to remove it after we no longer need it.
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
TASK 1
Question: Which service version is found to be running on port 80?
We start our recon phase with a quick connection check.
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $ping $rhost -c 4
PING 10.129.131.157 (10.129.131.157) 56(84) bytes of data.
64 bytes from 10.129.131.157: icmp_seq=1 ttl=63 time=10.0 ms
64 bytes from 10.129.131.157: icmp_seq=2 ttl=63 time=9.71 ms
64 bytes from 10.129.131.157: icmp_seq=3 ttl=63 time=9.96 ms
64 bytes from 10.129.131.157: icmp_seq=4 ttl=63 time=9.39 ms
--- 10.129.131.157 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 9.392/9.768/10.012/0.245 ms
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $
Then we use nmap to scan (here only the top 1000 tpc ports) for the available services.
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $nmap -sV $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-09 10:32 BST
Nmap scan report for 10.129.131.157
Host is up (0.061s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.12 seconds
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $
nginx 1.14.2
TASK 2
Question: What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?
We can use curl to check for the HTTP response.
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $curl http://$rhost/ -v
* Trying 10.129.131.157:80...
* Connected to 10.129.131.157 (10.129.131.157) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.129.131.157
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: nginx/1.14.2
< Date: Tue, 09 May 2023 09:35:24 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: PHPSESSID=ns892s27a79b6937pompemn6lv; expires=Tue, 09-May-2023 10:35:24 GMT; Max-Age=3600; path=/; domain=10.129.131.157; HttpOnly; SameSite=Lax
< Location: http://ignition.htb/
< Pragma: no-cache
< Cache-Control: max-age=0, must-revalidate, no-cache, no-store
< Expires: Mon, 09 May 2022 09:35:24 GMT
< Content-Security-Policy-Report-Only: font-src data: 'self' 'unsafe-inline'; form-action secure.authorize.net test.authorize.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src fast.amc.demdex.net secure.authorize.net test.authorize.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.paypal.com www.sandbox.paypal.com player.vimeo.com *.youtube.com 'self' 'unsafe-inline'; img-src assets.adobedtm.com amcglobal.sc.omtrdc.net dpm.demdex.net cm.everesttech.net widgets.magentocommerce.com data: www.googleadservices.com www.google-analytics.com www.paypalobjects.com t.paypal.com www.paypal.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com i.ytimg.com s.ytimg.com data: 'self' 'unsafe-inline'; script-src assets.adobedtm.com secure.authorize.net test.authorize.net www.googleadservices.com www.google-analytics.com www.paypalobjects.com js.braintreegateway.com www.paypal.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.sandbox.paypal.com t.paypal.com s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com *.vimeocdn.com www.youtube.com video.google.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src getfirebug.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src dpm.demdex.net amcglobal.sc.omtrdc.net www.google-analytics.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com 'self' 'unsafe-inline'; child-src http: https: blob: 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
<
* Connection #0 to host 10.129.131.157 left intact
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $
302
TASK 3
Question: What is the virtual host name the webpage expects to be accessed by?
The answer for this one is already included in the curl response we got in the previous task.
But fingerprinting the server with whatweb would also get us to the answer.
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $whatweb $rhost
http://10.129.131.157 [302 Found] Cookies[PHPSESSID], Country[RESERVED][ZZ], HTTPServer[nginx/1.14.2], HttpOnly[PHPSESSID], IP[10.129.131.157], RedirectLocation[http://ignition.htb/], UncommonHeaders[content-security-policy-report-only,x-content-type-options], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block], nginx[1.14.2]
ERROR Opening: http://ignition.htb/ - no address for ignition.htb
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $
ignition.htb
TASK 4
Question: What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?
Simply accessing the found webpage - ignition.htb - will result in an error.
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $curl http://ignition.htb
curl: (6) Could not resolve host: ignition.htb
┌─[✗]─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $
We can easily fix this by manually adding the host to IP resolution to our host file. This file is located at - /etc/hosts - on the pwnbox (parrot os - debian based).
┌─[✗]─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $echo -e "# ignition box | host -> ip resolution\n$rhost ignition.htb" | sudo tee -a /etc/hosts
# ignition box | host -> ip resolution
10.129.131.157 ignition.htb
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $cat /etc/hosts
# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
# /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 htb-wanag5dze3.htb-cloud.com htb-wanag5dze3
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# ignition box | host -> ip resolution
10.129.131.157 ignition.htb
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $
/etc/hosts
TASK 5
Question: Use a tool to brute force directories on the webserver. What is the full URL to the Magento login page?
Here we use gobuster in directory discovery mode with the common dirb list.
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $gobuster dir -u http://ignition.htb/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://ignition.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2023/05/09 10:49:03 Starting gobuster in directory enumeration mode
===============================================================
/0 (Status: 200) [Size: 25803]
/admin (Status: 200) [Size: 7095]
/catalog (Status: 302) [Size: 0] [--> http://ignition.htb/]
/checkout (Status: 302) [Size: 0] [--> http://ignition.htb/checkout/cart/]
/cms (Status: 200) [Size: 25817]
/contact (Status: 200) [Size: 28673]
/enable-cookies (Status: 200) [Size: 27176]
/errors (Status: 301) [Size: 185] [--> http://ignition.htb/errors/]
/Home (Status: 301) [Size: 0] [--> http://ignition.htb/home]
/home (Status: 200) [Size: 25802]
/index.php (Status: 200) [Size: 25815]
/media (Status: 301) [Size: 185] [--> http://ignition.htb/media/]
/opt (Status: 301) [Size: 185] [--> http://ignition.htb/opt/]
/rest (Status: 400) [Size: 52]
/robots.txt (Status: 200) [Size: 1]
/robots (Status: 200) [Size: 1]
/setup (Status: 301) [Size: 185] [--> http://ignition.htb/setup/]
/soap (Status: 200) [Size: 391]
/static (Status: 301) [Size: 185] [--> http://ignition.htb/static/]
/wishlist (Status: 302) [Size: 0] [--> http://ignition.htb/customer/account/login/referer/aHR0cDovL2lnbml0aW9uLmh0Yi93aXNobGlzdA%2C%2C/]
Progress: 4476 / 4615 (96.99%) Progress: 4478 / 4615 (97.03%) Progress: 4482 / 4615 (97.12%) Progress: 4484 / 4615 (97.16%) Progress: 4487 / 4615 (97.23%) Progress: 4490 / 4615 (97.29%) Progress: 4492 / 4615 (97.33%) Progress: 4495 / 4615 (97.40%) Progress: 4497 / 4615 (97.44%) Progress: 4501 / 4615 (97.53%) Progress: 4503 / 4615 (97.57%) Progress: 4504 / 4615 (97.59%) Progress: 4507 / 4615 (97.66%) Progress: 4511 / 4615 (97.75%) Progress: 4513 / 4615 (97.79%) Progress: 4517 / 4615 (97.88%) Progress: 4519 / 4615 (97.92%) Progress: 4522 / 4615 (97.98%) Progress: 4524 / 4615 (98.03%) Progress: 4527 / 4615 (98.09%) Progress: 4529 / 4615 (98.14%) Progress: 4534 / 4615 (98.24%) Progress: 4536 / 4615 (98.29%) Progress: 4538 / 4615 (98.33%) Progress: 4542 / 4615 (98.42%) Progress: 4545 / 4615 (98.48%) Progress: 4547 / 4615 (98.53%) Progress: 4551 / 4615 (98.61%) Progress: 4553 / 4615 (98.66%) Progress: 4557 / 4615 (98.74%) Progress: 4560 / 4615 (98.81%) Progress: 4562 / 4615 (98.85%) Progress: 4565 / 4615 (98.92%) Progress: 4567 / 4615 (98.96%) Progress: 4570 / 4615 (99.02%) Progress: 4574 / 4615 (99.11%) Progress: 4577 / 4615 (99.18%) Progress: 4580 / 4615 (99.24%) Progress: 4584 / 4615 (99.33%) Progress: 4585 / 4615 (99.35%) Progress: 4588 / 4615 (99.41%) Progress: 4591 / 4615 (99.48%) Progress: 4594 / 4615 (99.54%) Progress: 4597 / 4615 (99.61%) Progress: 4601 / 4615 (99.70%) Progress: 4604 / 4615 (99.76%) Progress: 4606 / 4615 (99.80%) Progress: 4609 / 4615 (99.87%) Progress: 4612 / 4615 (99.93%) Progress: 4613 / 4615 (99.96%) Progress: 4614 / 4615 (99.98%) Progress: 4614 / 4615 (99.98%) Progress: 4614 / 4615 (99.98%)
===============================================================
2023/05/09 11:03:00 Finished
===============================================================
┌─[htb-bluewalle@htb-wanag5dze3]─[~/ignition]
└──╼ $
That - /admin - site looks the most promising so we check it out.
We found the admin login page for Magento.
http://ignition.htb/admin
TASK 6
Question: Look up the password requirements for Magento and also try searching for the most common passwords of 2023. Which password provides access to the admin account?
During our look up for the password requirements, we stumble upon this:
Magento requires a minimum of seven characters (both letters and numbers). We recommend using something a bit more robust — a 10-12 character alphanumeric password. Pro-tip — Don't try to think of a password yourself.
So our admin password is probably at least seven characters long. Moreover, we find this, when we search for the most common passwords in 2023:
- 123456
- 123456789
- qwerty
- password
- 12345
- qwerty123
- 1q2w3e
- 12345678
- 111111
- 1234567890
Since the minimum password length is seven characters, our list shrinks to this one:
- 123456789
- password
- qwerty123
- 12345678
- 1234567890
Trying them out one-by-one is successful and we can log in.
| Magento weak credentials | |
|---|---|
| username | admin |
| password | qwerty123 |
qwerty123
SUBMIT FLAG
Post-log-in, we are welcomed with the flag.
Question: Submit root flag
flag
Congratulations, we just successfully pwned the target machine. All we have left to do now is to terminate the target box (if not terminated automatically) before we continue with the next box!